Security should be commensurate with the consequences.
I maintain a package of 3rd party software used in our company for development, so that all developers (and customers) have exactly the same versions of 3rd party components required by our software. It's simple enough in concept.
In practice, so many times we choose not to update because of API changes that we don't have the manpower to port our code to match. Other times it is simply a lack of management approval for the time needed to test that a 3rd party update does not crash our software before updating our package.
Heck, just ask NASA what their oldest operational computer still is, and why. So I totally understand intentionally not using the latest version of something.
But then our level of security impact is pretty darn low. We aren't storing a database of millions (billions?) of customer data, including highly private information like social security numbers. If we were, we'd be darn stupid not to instantly jump on every security update.
IMHO, to be blunt, if you want to play with Big Boy Data, then it's your balls on the chopping block if you don't properly secure it. If that's too difficult for your organization, then maybe your organization is in the wrong business. We need laws that punish with a severity based on impact. Maybe then a few more companies will take security seriously.