The PIN is what prevents you from sending funds, signing messages etc. It's a 6 digit code so It won't be that easy to crack and It could take sometime. If you ever get your phone stolen or something, you should recover your wallet somewhere else using the 12 words passphrase they first gave you when you took backup.
Yes I have a paper backup of the word list.
However I tried testing it by restoring this to another phone with Mycelium installed on it and it appears to restore fine but from what I saw all that did was to set up an account on the new Mycelium wallet with my original address and with the BTC balance on it. It didn't remove the BTC from the original phone, it just exists on both. So what's to stop the person with the lost phone from spending them?
Whilst I'm interested in the answer to this, it doesn't really address how secure the lost phone is - I might not notice the phone being lost for a while for instance.