Why do we patch, or not?
Offer a starving man a moose-turd pie, and watch him hesitate. The typical "update", even (especially?) a "security critical" one is as likely to contain corporate or state malware as it is to actually fix something. To be fair, sometimes they do actually fix something, typically something a competitor (Google/Apple/MSFT/FSB) was using...
In an ideal world, "Security fixes" would be exactly, and only, that. No software equivalent of the "Omnibus puppies and motherhood (and indefinite pretrial detention and unlimited expense accounts for MPs) act". In the real world, modern software is so full of bizarre dependencies that it is entirely plausible that deprecating a particular encryption suite will break the ability to display cat videos in other than 4:3 aspect ratio, or some such.