Broadcasting the client version is a serious privacy issue for those up against a network-level adversary (China/Iran activists, anybody GCHQ/NSA doesn't like). The important issue is timing correlation.
Example: A) Activist creates anonymous website, uses SSH-over-TOR to update his website. B) Network-level adversary monitors network around his website, sees the activist is using SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u1. C) Activist updates SSH through apt-get dist-upgrade using his real IP. D) Activist updates his website using SSH-over-TOR. E) Network-level adversary now sees he is using SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2. F) Network-level adversary checks their captured network data to see who downloaded the Debian-4+deb7u2 deb from security.debian.org or other mirrors during that time. There are other variations that don't require the adversary to monitor the traffic to the package mirrors. Example: A) Activist visits state run news site using his real IP. B) Activist uses SSH-over-TOR to write rebuttals to each news item. C) Network-level adversary sees when he upgrades his SSH version. D) Network-level adversary correlates that with visitors to their news site whose User-Agent version changed around the same time (of course limiting it to Debian users since for some reason the User-Agent strings report that). Even a traditional police adversary could use time correlation with no network monitoring needed. Seize the server, seize a suspect's TAILS CD, use /var/log/auth.log on the server to match the SSH client upgrade time with the timestamp the TAILS CD was burned. I'm sure there are many more but you get the idea. Leaking any information about the OS or package versions should always be avoided. Even if you can't think of a scenario that would abuse it does not mean that scenario doesn't exist.
