It would be wrong of me to overstate the case, but minor (and very occasionally, major) security issues are found quite regularly in Moodle (and any software) and are fixed and released in the next version. Depending on how you use Moodle some may leave you open to hacking etc., many will not. However, you don't really know. What you do know is that you have (at least) two years worth of fixes that you don't have in your current site.
By 'show stopper' (sorry - local vernacular presumably). I mean a bug that prevents you working in some way. Like security fixes, there will have been hundreds of bug fixes and improvements in code you don't have. You don't care until the day you do... something breaks. Sooner or later, the server will be upgraded to the point that your Moodle site no longer runs.
I would caution anybody to be in a position were upgrading Moodle regularly is not a big deal. Some IT departments are so risk averse that they will not upgrade software because "it's working fine". My opinion is that they are not doing their jobs properly.
All just my $00.02 of course.