1. Is this a credible threat right now?
I believe yes. The security bug is real and I won't be surprised if Google decide to reject applications developed with Cordova versions prior to 3.7.2 in the future.
2. Is Cordova 3.7.2 supported in the latest version of AppBuilder?
Currently, the latest Cordova version for Android, supported in AppBuilder is Cordova 3.7.1. The good news however, is that with the upcoming AppBuilder 2.10 release (next week) we will introduce Cordova 3.7.2 and Cordova 4.0.2. What we plan to do is to change the current Cordova 3.7.1 with Cordova 3.7.2 and add one more experimental version (4.0.2) for the Crosswalk compatibility. I think this also answers your question from the last post.
3. Is the upgrade path from 3.5.1 to 3.7.2 straight forward or complex
To upgrade the Cordova version of your AppBuilder project you only need to change it from the drop-down in the project's properties. We handle everything else, automatically on the server. However, it is important that you test the functionality of the application after upgrading, as it is possible for issues or certain defects to arise.
Further, after the upcoming AppBuilder 2.10 release, Cordova 3.7.2 will still be marked as experimental. Nevertheless, this only means that it haven't been extensively tested on our side. In other words, if issues occur with an experimental version, we will be happy to know about them and will also try to address such as soon as possible. The experimental tag of the upcoming Cordova 3.7.2 should be removed in the AppBuilder 2.11 release, scheduled for July. I hope this helps.