1) Corrupts SEO measurement because one goal of these spiders is to create links from websites that publish their access logs on the sites they are visiting. Inside their access logs might be the spammer's URL which in turn creates backlinks and can improve the search engine results for the spammer's URL. With a spamming "bot" laying "word eggs" at various unsuspecting sites, any site that publishes analytic data then is an unwitting and free source of the spamming URL, which continues to be read and ranked by Google, usually with higher results.

2) If the referral spam had bad intentions, it could substitute it's own URL to the victim's URL and then those back links could be identified as spam going out from the victim's site and the user is completely unaware that they are now spreading spam because their URL is back linked to the referral spammers access logs.

3) Malware could be spread and utilized because a referral spam crawler can identify which sites have malware embedded in their sites and that data could be "mined" by a third party for sending more spam-type software, or by taking advantage of sites not protected. In short, you are leaving yourself open for someone to come knocking "electronically", and by entering your site can possibly steal information such as bank codes, passwords, etc...

4) As a final kick in the pants, you have to endure seeing these invaders in your GA reports over and over again.