Security updates are a must, especially on systems that look at the Internet.
Functional updates, here it's better "it works - don't touch it" :) Examples. 1. There is an X-ray baggage scanner at the airport, it is controlled by a computer with Windows NT pre-installed, an attempt to update is an opportunity to get a brick that is very expensive to revive. 2. There is a file server running on Windows 2003 R2 in one organization, in a branch far, far away, the absence of new drivers does not allow to install a more recent OS, the financial situation does not allow changing hardware. However, he has 2 years of uptime and no gaps. Does it work?) Don't touch it :)
It all depends on the situation.

internal perfectionism for updating everything as much as possible

Correctly.
This is a very bad principle that should never be used.
And there is. From major to major, most often, you just can’t upgrade.
Yes, definitely. No one does updates (updates themselves, patches) just like that, because there is nothing to do, these are always bug fixes, closing holes, new features.
Not every day, but once every 2-4 weeks for sure.
I advise you to take an image of some server through dd and cut it to the same VirtualBox and, for starters, update it there. If all is well - update combat.

EL6 has its own updates - until now. Yes, there the main package base is ancient, like a mammoth barn, but updates are on the bucket and the main packages are coming out and, if you wish, you can add something more or less fresh there.
If you don’t update, then one day you can get into a situation where the bosses are screaming and rushing, demanding to install software X, for the installation of which software Y is needed, which is not installed because the Z version of the library is lower than necessary, and to update it you need to shovel half the system .. ..
Ronald McDonald gave good advice - remove the image, try to drive it into a virtual machine and update and see what jambs come up. Start with the least loaded car.

And just like that, "updates for the sake of updates" also do not want to be installed.

And rightly so, it's just dangerous. I have a process in place for how to live on a rolling release in a prod, and when the process is established, you can update every day, but "just like that" is dangerous.
But there is a moment in that we are talking about RHEL, they don’t radically update within one version of the distribution, but they themselves test everything for compatibility. And if they release an update - apparently it is necessary.

If there is a possibility of a problem, then you put the necessary version of the OS and software on the test machine / virtual machine, deploy one "site on cms, which is also ancient" there.
Test performance on typical tasks. If there are no problems, then you can throw into battle.
If the engine cannot be updated, then it will at least work on a newer version of the http server and interpreter with closed holes.