Disagree. My 2 cents as a watcher, administrator and user:
1/ they have better things to do Then don’t take the release! If a release contains security patches (so they should take it), then I don’t see how hiding the issue by holding back the release helps. 2/ it gives impression of immature and buggy software - this gives thoughts towards alternatives, IRC shows many admins have no loyalty todays much of todays software (well, windows fanbois excepted. Massively disagree. Frequent release to me give the impression of an actively maintained and evolving project. And there are a lot of changes in the HTTP space (HTTP/2, move to encryption, increased awareness on security...etc.). 3/ As a consequence of 1 & 2, they will not upgrade, this might be trivial for little thigs, but when a nasty bug comes out, this is what comes to mind" oh fsck it, we just upgraded httpd last week, screw it, we'll wait" - they get bitten, CIOs demand heads, remaining souls dump httpd and install nginx or some other alternative Discussed above. And nginx releases monthly (http://nginx.org/en/CHANGES) which I’d be happy if Apache HTTPD moved to. 4/ dont be fooled into thinking its the package managers role, many networks run on RedHat EL, SuseEL, and debian, but far from all - and even those distro package maintainers get sick to F'n death of it after a while and skip updates. I do wish Apache would run its own “official” repo to make upgrading to latest easier. Don’t have the expertise to help with this and understand it was done in the past and given up due to lack of people who did but still think it’s a shame we don’t. I think this is an area nginx does stand out. Upgrading Nginx is often as simple as “yum update” or “apt-get”. They even run a repo for their mainline version for those that want to be bleeding edge. Do not be delusional - this has happened many times before. I give you dovecot as example, it wasnt that long ago a new release was coming out weekly, sometimes only a few days apart, people get sick of updating, some people are still today running versions a year old because of it, I know of a few who moved to "courier", an oldy but a goody. And some people are still running Apache Httpd 2.2 or 2.4.6. I don’t think that’s anything to do with the frequency of releases. The release often mentality might be good for a new nurturing project, but that is not httpd. System admins want stability. Maybe, but that’s not the world we live in. And others want features and we shouldn’t give the impression Httpd is legacy because it lacks the features other web servers may have. Stay on packages managed version of 2.4.6 if you want and just take the security updates that your package manager is responsible to include.