What are the risk if all Outgoing connection/ports are open?

I think the "common wisdom" behind locking down traffic egressing the network has always been something like "Bad people could send traffic out of your network in ways you don't want them to." Certainly, I've seen remote exploits foiled by aggressive firewalls preventing the exploit code from FTP'ing out to download its payload, etc. There's some value in limiting egress ports.

Having said that, though, anything can be tunneled over another protocol (arbitrary TCP over HTTP, SSH over DNS, IP over carrier pigeon, etc), so limiting egress ports to limit egress traffic has an air of a false sense of security about it. Unless you're doing layer 7 inspection of the egress traffic you can't really be sure that the thing making requests outbound on TCP port 80 really is an HTTP client. Even if it is an HTTP client, unless you're being very draconian about the layer 7 examination it may be an HTTP client that's tunneling arbitrary data over HTTP.

Limiting egress ports is a good idea, but don't be fooled into thinking that it's a major "security win". "Smart" software (malicioius or otherwise-- Skype is a good example of a program that handles filtered egress ports very well) will work around you.

As an aside, I'm not aware of Facebook needing anything other than HTTP and HTTPS.

If you have any Windows machines on the LAN I strongly recommend closing at least port 25 to all but the mail server(s). Some viruses/worms will cause the infected machine to send spam emails. This can very quickly get you on block lists, which can have a seriously detrimental effect on your ability to send legitimate emails. This happened where I work just after I started there and it took a fair bit of effort to get removed from those lists. There's no real way to tell just how much revenue the company lost as a result but we do know we lost at least some customers.