Drupal

Since Drupal is a community project, the code is always being fixed, updated, and changed. In the past few months there have been a number of major security holes that have been fixed -- but part of the process of fixing vulnerabilities in open-source code is communicating what the holes are, how they might be exploited, and how to prevent writing code that contains those holes in the future. So it becomes a double-edged sword -- the issue is fixed, but hackers can take the information and exploit sites that haven't been updated yet.

Backstory: Part of a site I'm currently building is set up so that approved users (aka content submitters) can submit resources. Another category of users, content administrators, will need to be able to define the different types of resources (ie. download, YouTube link, PDF file). Neither user group needs to know or care that we're using a single Resource content type to manage these items; the goal is for content submitters to "Post a YouTube link", instead of going to "Create Resource" and selecting the taxonomy term for a YouTube link.

Inspired by a recent conversation with a client, along with inheriting developer ownership of a few sites that were not kept up-to-date, here is a detailed explanation on why the code that runs your Drupal site should be updated and maintained.
 
Note that I'm talking about updating your site's contributed modules or core, which involves minor code changes (for example, updating Drupal core from 7.25 to 7.26), and not upgrading your site to the next major version (going from Drupal 6 to Drupal 7).