Hi friends -
Just a reminder that your WordPress.com sites were not compromised.
There are 2 versions of WordPress. What we do at WordPress.com is separate from the WordPress software that you install and use with a hosting company.
Take a look here to read more about the differences between the 2 versions of WordPress.
When you read about updating your site to 4.7.2 or disabling the REST API it is referring to a site that uses the WordPress software and a hosting company.
All of the updates your WordPress.com site needs are taken care of behind the scenes.