Especially since doing that will let you Federate through compromised comments, and possibly affect other instances using the Federation network, unless they're updated.
Yes. They got hacked. An admin account got compromised, and the hackers exploited a bug in Lemmy-UI (the web site) that let them do things like redirect users to another site that let them run Javscript. It seems to have let them collect some user tokens from accounts, and access an admin account that way.
Others did get hacked, or are vulnerable to it, but aren't big enough targets?
Beehaw is closed, so they would have had to have an existing account to exploit the same bug (or go through something like Kbin), and Lemmy.world is the biggest Lemmy instance.
No. The existing Lemmy-Lite that was advertised on join-Lemmy.org appears to be massively out of date, and no longer actively maintained.
It was a bug with Lemmy-UI, so you might be able to get away using an app or site that isn't vulnerable. Whether that is Wefwef, one of the apps, like Jerboa, or something that is Federated, but not Lemmy, like Kbin, or Mastodon (things might be a bit clunky if you do, since Lemmy threads aren't well handled by Mastodon).
Just look at Lore. He wiped out a colony, and could do far worse damage if he was both more competent and stable. It eventually escalated to the point where Data had to shut him down, due to the danger he posed to the rest of the Federation.