Security experts said vendors should be more responsive to customers who want security updates, but prefer to stick with a version that's familiar.
Bruce Schneier, chief security technology officer at BT and writer of the Schneier on Security blog offered a brief, "Yes and yes," when asked whether complaints about unneeded, unwanted features are legitimate and whether software companies should be paying more attention to updates.
Sharon Nelson, an attorney and president of Sensei Enterprises, a computer forensics and legal IT firm, noted that users are reticent to download updates with new features. "What Facebook calls a feature can be a privacy issue," Nelson said. "Some of the 'features' may cause problems with other software. Some features just add to software 'bloat' when you don't need them."
Sophos' Wisniewski said some companies are responding to those issues. He pointed to Red Hat, which was one of the first companies to offer long-term support for a software release. "They offer guaranteed support - security updates, but no other changes. And you're starting to see other vendors doing the same thing. Firefox is one of them."
Most companies, he said, are seeking a middle ground because, "the cost of supporting old versions for years is enormous."
Microsoft, which has continued support for the aging Windows XP, will be dropping that support in April 2014, Nelson said. "At that point, it will be critical to upgrade to a new OS, because there will be no more security updates or bug fixes."
Businesses have more options than individual users, said Wisniewski. "For the enterprise, it's important to have stable platform," he said, "So you should ask (a vendor) how long is their support cycle and where are they in it. You almost always have [the] option of long-term support...with just security patches."
For users, it is critical to keep software updated. "My advice is, as much as you hate that stuff, you have to do it," Wisniewski said. "It's just not safe otherwise. He sees computers with out-of-date software, "getting compromised all the time - it makes it easier and easier for criminals.
"Usually, in 75 [percent] to 80 percent of those cases, the patch has been available for six months."
Read more about application security in CSOonline's Application Security section.