Inspired by a recent conversation with a client, along with inheriting developer ownership of a few sites that were not kept up-to-date, here is a detailed explanation on why the code that runs your Drupal site should be updated and maintained.
Note that I'm talking about updating your site's contributed modules or core, which involves minor code changes (for example, updating Drupal core from 7.25 to 7.26), and not upgrading your site to the next major version (going from Drupal 6 to Drupal 7).
There are 3 main reasons why Drupal code (both Drupal core and contributed modules from drupal.org) is updated. Here they are in order of importance:
These are the "red flags" on your Available Updates report page. Security updates fix issues where a malicious user could gain access to, hijack, or outright destroy a website. You can weigh the likelihood of the possibility occurring (how trustworthy are the users, how secure and unique are their passwords, what features of the site to they have access to, etc), but it's best to close up the holes once they're found.
Perhaps most importantly, once a security fix has been posted, the details of the are shared with the wider community, to prevent others from making the same mistake in their code -- but meanwhile, if you are using an older version (which can be easily figured out), someone with malicious intent knows what to try to cause havoc.
Perhaps your users have been using something that only half works because it's "good enough". Or you go to check your site's error logs and see pages and pages of PHP notices. In both cases it's a good idea to fix those problems to help keep your site running smoothly. Any module that integrates with a third-party data source (Twitter, Facebook, etc) can stop working if the API changes, which might fix a bug that you never even noticed.
Occasionally, a minor module release will add new functionality, or expose that functionality when the module developer and beta testers have determined it's ready for prime time. Or, you want to add a new feature to your site, but it needs updated versions of specific modules. If you've been keeping your site up-to-date, it's more likely that you already have the versions you need and can jump right into building out what you need.
Ok, so a fourth, bonus reason is that it gives your developer time to put eyeballs back on the site. The update/maintenance window is a good time to review server and site performance, make sure your version control workflow is still operational, and test out your backup plan. You do have a backup plan, right?
What if I launched 6 months ago and haven’t touched my site’s code since?
Waiting that long before updating can turn the testing and deployment process into a dreaded task that gets pushed back week after week — I understand! However, with a good workflow and established testing instances, regular maintenance updates are a piece of cake! I recommend getting caught up as soon as possible, and establishing a regular maintenance schedule so that you don't fall behind in the future.
Since Drupal core has a release window every two weeks, and contributed modules generally get updated as needed, I've established the practice of reviewing and updating sites once per month (with security updates deployed as needed).
So, how much does this cost?
Using some basic, content-heavy sites I manage as a guide, over the last 6 months I've spent only 1 hour per site, per month. In my mind, that's totally worth the benefits I've described above. What do you think?