The main reason to update dependencies is that when emergencies do arise, you don't want to be in the situation where your only options are:

1. take on the additional risk of months or years of changes in between

2. beg or plead with (or throw money at) upstream to patch your old version

3. attempt to patch it yourself, potentially introducing new issues because you're not the ___domain expert