It's an Open Source package, so let's not update it
Really?
I would have thought this might be a good surrogate for whether or not companies update any external packages. There could pressure could be in the opposite direction - let's not update the closed packages that we don't pay the maintenance on anymore.
Or let's not update anything unless we have to, because costs developer/tester time too. etc.