If you're running a current version, then vulnerabilities are being patched as they are updated.
If you're running a version that is not receiving security updates, you remain vulnerable to vulnerabilities discovered (perhaps in later versions using same code) after the updates have ceased.
I'm running a version which is not yet vulnerable to file system destruction (also mine still is case-sensitive as it started), and is not vulnerable to critical discoveryd/mDNSResponder and Mail bugs.
It's a complicated pro-contra decision, but in Apple's case it's an easy decision. They have abandoned all developer good will some years ago already.
Running current versions is rarely advisable. Just see the gcc-9 disaster.
