Getting too paranoid about installing updates in case you have to reconstruct some time in the future is not a good idea; it will completely destroy any development and release method that involes incremental release and/or incremental deployment and/or incremental maintenance. As someone else alrady pointed out, courts will usually be sympathetic if you can show that have followed acknowleged (industry standard) best practice and done your best if something needs to be reconstructed for legal reasons and you can't do it successfully. Using ITIL or something similar will ensure that you have records of what version was where when, because you need them for more than just legal reasons. Those records should include things like passwords or a copy of your password safe or equivalent (old passphrases for that safe should be kept in a secure physical safe - if you discard them you are probably dead in the water), encryption keys (only those held in password-protected format outside the database), platform patch state, and application patch state as well as stuff about the hardware modification state; the software components installed (platform, middleware, and application) should be kept in there installed forms along with all updates. That will mean that you can always get back to a past point in time, provided you can produce or simulate the required hardware.

Very few shops indeed actually do this. None that I've ever worked in did it properly, but in many cases QA of software changes included checks that behaviour of existing functionality with old data was no different betwen old and new versions. Of course such checks will rarely be 100% comprehensive, but they can in almost all cases be thorough enough to provide a 99.999% certainty of no change. Then there are changes part of whose purpose is to change the behaviour of existing functionality with old data (as opposed to adding separate new functionality) and there version records are indispensible. But again they aren't always kept for more than a year or two, so in real life most people are not prepared for a sudden requirement to reproduce some ancient history. I suspect that while the editorail will make people think about this, and make some people who are already trying to have the reversion capability think hard enough that they improve their methods, it will have little or no lasting effect on the majority of people who just can't be bothered with a requirement to recover anything from more than a couple of months back (obviously people in some industries can't legally be part of that majority).