[support] Is it mandatory to run updates if only trusted people can create content and comments?

[Francesco]

Hi everybody,
some questions which I wasn't able to find an answer to, searching the
web and the Drupal site (as I mentioned before, the link for searching
the support list archives is broken, hence I couldn't search there).

Some of the sites I'm creating do not give to users the ability to
create content, nor to comment anything.

Only administrators can create content and post comments, as well as
creating new accounts (but those sites will have just a handful of
users in any case, the administrators themselves).

So the question is: in such a scenario, is it mandatory to run updates
- especially security updates?

My knowledge about security issues borders the zero line, hence I
really don't know how much risk I would be taking by not running
updates regularly - by the way, regular backups are a rule for me in
any case, moreover because I could break the site myself ;-)

Imagine now I give anonymous users the ability to comment, while
keeping all content creation permissions for administrators, would
then an outdated site still be safe?

And finally, since I will be using the Views module, are Views
arguments an entry point for attacks, forcing me to run updates?

Thank you for your attention,
kind regards,
Francesco