With regards to including a file from a remote server, it can be done but the remote file (if being called by http) needs to have a different extension to .php otherwise it will be parsed and the output only will be sent. You could give it a .txt extension for example.
Quite what the security implications of this are I don't know. In theory the calling site can't be injected with malicious code directly as it's calling a preset address and assuming that bother servers are bullet proof hack-into-wise then there is no chance of the address being changed or the code on the other end. That said, you can't be sure that both servers are hack proof and there may be other things to take into consideration such as DNS attacks that could redirect the http request to a file on another server.