Problems can occur when unfiltered form data is inserted into a database or used to send emails.
SQL injection, for example, is a method where an attacker tries to "hack" the site's database by submitting SQL fragments through your forms in an attempt to have them run as actual SQL on the server.
In email forms, spamming robots sometimes try subverting the email-sending mechanism to send their own spam through your server.
Form validation is used to make sure that the data is sane and will not cause problems. For example, if you validate that what you expect to be an email address actually is an email address, or that SQL is properly escaped before running it, then you will go a long way towards stopping these ...