Several years ago wordpress was considered very insecure. It is an open source software, anyone can see the source code. This means that hackers can freely analyze the code for exploits. WordPress developers are working hard to keep it secure, but once in a while there are holes that no one tought of until some hacker finds them and eventually report it to others. When this happens, a security update is made to fix that hole, until anything bad will happen. What happens if you do not update your WordPress ?
There are bad people too. They want to take advantage of these holes to take control of other websites, so they can steal data or to send unsolicited emails. Their actions are bad, so bad that they need very huge amount of data to even trick someone and steal few bucks. But they don’t care about the damage they for every buck they earn and they are developing automated tools that will search all the web for a specific exploit of a specific content management system, in our case WordPress.
WordPress development team will launch an update in a very short time after they found about the leak. Hacking script developers will need few weeks to get a system done and few other weeks until it spreads to all over the Internet. So if you update wordpress whenever there is an update you are practically 100% safe agains automated tools.
But, if you don’t update wordpress, things can get very wrong. First, they will want to set-up a redirect on your website, so all your visitors will be redirected to another URL. Then they will use your server to send automated spam emails. Search engines will block your website. Browsers will prevent users from visiting your website because it will get into a black list. They will steal your passwords so even if you remove the infected files the virus can come back.
The amount of time you need to update your wordpress is anywhere between 3 and 20 seconds. The amount of time required to recover from a virus is 2 weeks.
There are also cases when the update is not so easy to be applied. Those cases are when the user modified WordPress core files. In that case, all the changes has to be tracked and re-applied to the new installation of wordpress. This can consume anywhere between a day and a week, depending on the amount of changes to be made. If you are in this case, you should know that WordPress API is very advanced and you can do practically anything that you do from wordpress core right now, from plugins or theme files, so whenever you update wordpress all your custom changes will be preserved.