On in five sites are WordPress-powered, and I happen to specialise in it so, if you're considering using it, this may be helpful …
… whether you're new to WordPress or just want some clarity, let's spell out the difference between the Automattic-hosted blog and the self-hosted site.
WordPress.COM: Automattic's hosting
wordpress.com is the blog host from Automattic, the developers behind the platform.
Sign up for a free 3 GB space with a URL such as someblog.wordpress.com and you can choose from a limited pool of themes and widgets, create pages and posts, receive and manage comments, and upload some media types. You can pay to upgrade for things such as adding space, enabling video uploads, removing those ads that Automattic sticks on sites or even to use your-own-domain-name.tld.
wordpress.org is where the standalone or self-hosted alternative to Automattic's hosting can be downloaded and discussed, along with most of the plugins that extend the blogging platform into what can be an awesomely powerful content management system.
.org downloads are installed (else bypassed using one-click installers such as Fantastico which gets an honest appraisal in Easy WordPress Installs with Fantastico … But Is It?) on shared, VPS, or dedicated servers.
WordPress.COM vs WordPress.ORG: security
wpCop expands on this topic in WordPress Web Hosting Options, the Differences * & Security * where we'll weigh up the security implications of not only Automattic's .com and .org choices but also those of all the host types. That should make for an interesting read.
In a nutshell though, and given Automattic's admirable defensive record for .com blogs, the difference is that when we self-host with the standalone app we assume the responsibility, exclusively, to secure our sites. So, if you’re still wondering which to use, you need to balance the exponentially greater scalability of a .org site against the effort required and risk associated with securing the thing.