There is a known exploit of xml-rpc with pre-2.6 - WP2.6 now comes default with it switched off, so if you upgrade, theoretically all you have to do is turn it on, but WPD 'should' be testing 2.6 and can advise whether it breaks the auto-content feature or not...
With the amount of blogs that are hacked everyday, I would hope that Wordpress Direct would have put Security at the top of the importance list.
Based on my initial review here:
Some thoughts on Wordpress Direct... the security of WPD seems to be lacking... but hey, just use it for testing and if your niche market works out, then get serious by hosting your own security-upgraded WP install.