James,
When Moodle finds a security issue, it fixes it in the next release. It waits one week, then announces to the world what those security issues are. I know this because we were stuck on 1.9 way beyond that version's life. When IT discovered that security issues are released to the world, they immediately began plans to upgrade.
We are now on 2.9+ with plans to get to 3.1 which is a long term support version (3 years vs. most versions' 1.5 years).
Another good reason to upgrade is that 3.2 focuses on user interface, which is much improved, and accessibility.