Hacking is a threat that all publicly accessible websites face, whether they be simple brochure sites or complex CRM systems. For different reasons, and sometimes for no reason at all, hackers are interested in cracking your site security. And unfortunately for those that own open-source content management system (CMS) sites, its often not that hard to do. With a simple script run from anywhere, not even from inside the site file system, I could gain administrative access to a lot of Drupal sites out there. And all I had to do was watch the public vulnerability list, and know that a very large number of site owners probably aren't taking the time to update their CMS sites.
Who's fault is that then? And does this mean that all the good things about open source CMS systems are outweighed by the vulnerability brought about their very nature: open source and community driven. I.e. The code is freely available to practice dark hacking arts on, and the community themselves inadvertently tell hackers how to attack. Of course the communities make that information publicly available, along with security patches, when they discover the vulnerability (usually through a reported hack), with the intention of telling the site owners to update their versions of the CMS, and "patch" the security holes. They also build these complex money-saving systems for you to use for free in the first place, and then go on to maintain their core... For free. So no, the risks do not, in this author's opinion, outweigh the benefits. For more on that Google "Benefits of CMS", I have written a bit on the subject with articles like Benefits of a Content Management System like Drupal and Why is Drupal Good for SEO.
As far as whose fault it is: if you build a bridge for someone to use and then advise them not to use it before employing a contractor to reinforce the surface, which you, subsequent to opening up for use, discovered was not strong enough, then you are being responsible. If that person chooses to ignore your advice, then they should not complain when the bridge lets them down. Remember, you never charged for the bridge in the first place in this analogy, so responsible disclosure of possible failure is arguably your only debt to them at this point.
So regularly updating your CMS version is a very good idea. When your developer suggests it to you, he's probably not just looking for a way to make a few extra bucks. And to be honest, as a developer, it's not a brilliant job. It's boring, it's a lot of watching files move, and it's short enough to not make up a decent billable time period, but long enough to disrupt more important, interesting and lucrative projects.
So what's in it for a developer, why bother pushing it on an invariably reluctant site owner? Quite a lot actually. The more outdated your sites become, the less restfully your developer sleeps, for a few reasons. Probably most notably, after pride in our work, is the possibility of waking up to find our biggest client's flagship site defaced. It's about a developer's biggest nightmare. Mainly because the client will think we are rubbish at our jobs (until he remembers just how often we asked him for budget to update his sites), and because we, the developers, now have many hours of extremely pressured patchwork to do that day, with the added nightmarish possible outcome that the site's data has been lost, stolen or damaged.
So please, site owners, update your CMS, and don't ignore your developer when he recommends it.