A possibilityEssentially yes it is risk. If you choose to use a third party hosted JavaScript (one example is Google Analytics) in a secure page you open the door for information to be collected. That may involve a maliciously forged certificates or simply a change in the ga.js script by Google.
You could consider the flow of you web application to try and push people through sections that don’t require security to capture analytic data, alternatively you could consider a Google Analytics for Mobile devices implementation.
Devices that do not support JavaScript would not normally be able send analytic data to Google. In this case Google provide alternative server-side implementation samples. See http://code.google.com/apis/analytics/docs/mobile/mobileWebsites.html
In this case if you have access to change the code or extend your web application you could send only the information you want to Google. This will obviously require you server to initiate a connection to Google which may induce load and should be carefully secured.
This design was not the intended for web clients that support JavaScript so you should verify that it does not violate Google’s service terms.