If I'm correct in assuming the private TCP port needs to remain 445, I'm guessing Comcast has a way of blocking that privately used port, and so changing the public one isn't going to matter, right? I don't know how they can block a private port, but my testing has led me to believe that is the case. I'm new to this stuff, so that may be false.
Yes, the private port must remain at 445 as that is what the "SMB server," in the AirPort Extreme, is listening on for SMB requests from a client ... whether that client is on the local network or from a remote location. Comcast shouldn't be able to block private IP addresses or associated ports on your local network that are behind a NAT router. (That being the Extreme again.) Most likely, Comcast is blocking "business level services" for their consumer-grade Internet service (at the WAN-side of your Extreme) and will want you to upgrade to the same level at an additional cost ... and by business level services, I am referring to running an email, ftp, web, or file server, etc. on your local network for remote access.
It is interesting though, I am able to access the drive using AFP over the Internet, because I confirmed Comcast does not block the use of that protocol's port (548). I wonder if that means AFP is any more (or less) secure than SMB over the Internet?
Unfortunately, it is no more secure than SMB. Again, using a VPN tunnel would be what typically be used to secure any file sharing protocol. SMB just happens to be more "popular" and possibly why Comcast elected to block it. One option: switch ISPs.
Security concerns aside, the issue being because Windows doesn't support AFP
That's true as far as natively, but there a number of third-party Windows apps that do support AFP that might be worth a try. I currently don't use any myself so I can't make any recommendations, but it may be worth your time to do a little research to find those that do support AFP for remote access.