One of the topics that is very important to many technology professionals is security. Security also might be one of the least understood aspects of our jobs. It's an area that requires regular learning, monitoring, reactions, and vigilance. A healthy dose of paranoia makes a good security mindset, but this an easily devolve into greater stress and worry than might be appropriate, or the feeling that one should throw their hands in the air because of all the potential issues, attacks, and vulnerabilities.
I think as individuals our part is to learn to write better code and scripts with security in mind, perhaps implementing best practices, but really the ways we will get better security is when vendors and platforms develop better ways to implement their security for us. They need people that study the issues and build fixes applicable to protect systems. This means we need good interfaces and basic contracts that ensure we can build software on top of platforms, but we will need to outsource this part of our security.
Microsoft is one company that has been working to help us implement better security through defense in depth, through partnerships with other firms, and is making a difference. They're not perfect, and there are still flaws in their software, but they are addressing and fixing them quicker and quicker. The world is changing, and Microsoft is a very different company than the one that build SQL Server 2008 R2, or even SQL Server 2012. They are maturing and becoming more responsive, and to me, more responsible about their place in the technology industry. They are striving to produce higher quality products, and when there are issues, they look to fix their mistakes quickly.
Many of us that have struggled to believe in this new Microsoft and apply patches in a more timely manner. I'll admit that I still rarely apply CUs unless I have a need for a fix, but mostly that's because I don't want any unexpected issues to crop up when I'm presenting and I don't have time to test that regularly. Like you, I have multiple versions of SQL Server. I do catch up periodically, and I certainly try to apply Service Packs within a few weeks of release, if not sooner. As much as Windows updates can be annoying, this is more a matter of timing than concern over quality, and I do try to keep up with these.
Will Microsoft and other vendors make mistakes with updates? Sure, sometimes there will be a patch that causes a problem with some, maybe many systems. However, we do need to grow and advance the security of our systems, which will always have vulnerabilities. Therefore, we need good quality updates from vendors like Microsoft, which I do think has happened. However, we also need customers to apply those patches. You can be slow and conservative, but don't be negligent and try to avoid them completely. That makes the security situation worse for all of us.