I agree.

Staying up to date is important but not urgent.

What you really don't want is that you don't do it, and one day it becomes urgent (usually for some external reason.)

You don't want to upgrade your networking the day after TLS 1.0 is rejected by that server you interact with. That seldom ends well.

When things are important to do, you should schedule them I as part of the routine. So you might have a twice-yearly event of "get everything up to date". Doing it regularly keeps it manageable, plus you get better at it. The longer the gap, the more work it is, and the more work it will cause.

It is 99% easier to do when your system is working than when it's broken. The phrase "don't fix it if its not broken" is literally the dumbest thing any programmer can tell you. preventing it from breaking is a gazillion times easier than fixing it after it's broken, while everyone around you is screaming.

> You don't want to upgrade your networking the day after TLS 1.0 is rejected by that server you interact with. That seldom ends well.

Otoh, upgrading your server to support TLS 1.2 also meant upgrading to support HeartBleed.

It depends on your dependencies whether up to date is better than old and seems to work. And also, some dependencies will have breaking changes every release, skipping a few releases may mean skipping ahead on the cycle of churn.

Picking stable and high quality dependencies is nice, but not always an option.