Hi Justin, thank you for your response. These words of yours:
Any data from a user is a possible attack vector for potential hackers.
are just what I needed to hear. I have to explain the need of updates depending on the amount - and moreover on the configuration - of the Drupal modules to the people I am making sites for.
I'd say that if users can't create or modify content you're safer, but I'd still run updates. Not only do the updates fix security problems, they provide bug fixes which might improve the functioning of your site.
No problem for my very sites, I'm more concerned about my "clients" sites security - clients inside quotes because that's not paid work :-/ More the modules, more the updates to take care of...
Well, I'll find an arrangement.
Thanks a lot, Francesco