When you don't update, you will eventually have software full of known security bugs. Known security bugs (if they aren't properly managed, like analyzing their impact and mitigating them) are arguably worse than unknown security bugs (ceteris paribus), because they are much cheaper to exploit.
The same does not apply to non-security bugs. The key difference is that security bugs are triggered on purpose, while other bugs are triggered accidentally. It is questionable if old software with security patches (e.g. Debian stable, Firefox ESR) is better than fresh one or not. I see good arguments on both sides, so maybe it depends. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/57eb6f16-91f9-497b-921b-d7d39beb93e1%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.