One of the biggest benefits of Docker images is their immutability. Once they’re built, they don’t change. Built once, would work forever… That’s how nightmares of security guys starts 🤣
For day to day work, usually first concept wins. You want your builds stable and try to avoid tempting distractions of upgrading log4j to latest version… Who knows what might break. That’s fine, makes sense.
It usually happens once a year, maybe once a 3 years, maybe when we need feature or want to add Java 21 to our CV. Generally speaking “it’s a special event”. For some developers it’s once in a lifetime experience. Taking into account how long they would stay in a company, they might not be there next time it happens.
There are obvious security risks of not performing updates, we saw it multiple times: Log4Shell, POODLE, Shellshock, Heartbleed.