WordPress hackers are normally after individual installs that might not be up-to-date or patched. To my knowledge the stuff hosted on wordpress.com is generally immune to that. If there's an issue a central server patch would solve the problem for everything hosted on that domain.
No, please, say it isnt so. MS buys WP, overmanages, restricts access, WP dies a slow death. New OS product emerges. Ack. (This has happenned with at least four companies I know of, albeit they did not have wide adoption like WP and were more niche products, but still, it scares me. I like the word Partnership, at least its not ACQUIRES)