To avoid ‘l33t hax0rs’, and generally keep your app purdy like its nice to know when you’ve got a vulnerability.
It’s also super nice when fixes are back ported, so that you can apply fixes without bumping major/minor version numbers.
I had to do so with Rails 3.1.x and all the application specific gems.
Since all my apps are on github, I used gemnasium.com which shows all out of date, and at risk gems in your Gemfile, and which versions contain fixes so you can estimate how much time needs to be spent updating.
Go do it. It’s easy