It is very telling that Amazon do not run the same version of their underlying hypervisor across their entire infrastructure.  Part of the reason that they do this is that a fault may be discovered in a particular version.  If everyone has that version then everyone has the problem.

3rd party software is the bane of our existence.  As long as you are prepared to treat it as a black box and not go prodding around under the hood then you can get away with ignorance is bliss.  As soon as you take a peak here be abominations.
If there are any security concerns that require a particular CU or SP then I would expect the powers that be to lean heavily on the supplier to ensure that the issue is fixed in their software.