Why (since I had this question on FB):
Stagefright is a security flaw that allows an attacker to gain complete control over the device by sending a specially crafted media file. If Auto retrieve is turned on, the attack can happen without any interaction of the user. With Auto retrieve off, the user gets the opportunity to delete the message without downloading the media file. Google has patched Android however we now have to wait for manufacturers and carriers to distribute the patch via an over the air (OTA) update (except for Nexus devices which will receive the patch over the next two weeks). Some phones may never see this patched due to manufacturer and carrier incompetence.
This exploit is not yet "in the wild," but after the full disclosure at BlackHat and Defcon next week this will show up in the wild.
Also, be sure to disable this in all text apps on your device. Some text apps have no way to disable this while others don't pre-process media so they are unaffected. Check with your app creator to verify if there is no option to disable.