I guess I was replying to your statement that 95% are new features and the URL was a list of security vulnerabilites (openssl's words, not mine.) Vulnerabilities are holes in security, not just run of the mill bugs.
With security it's often quite difficult to tell if a given vulnerability might apply to features you're using in a product. In order to make that decision, you have to research the specifics of the issue and have a pretty intimate understanding of what it refers to. It's very challenging even for the most seasoned sysadmins.
For example, CVE-2014-0076 (CVE stands for Common Vulnerabilities and Exposures) is listed as "Fix for the attack described in the paper "Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack" Reported by Yuval Yarom and Naomi Benger." The listing in the NVD isn't that much clearer: "The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack."
Just at first read it's pretty difficult to say whether or not this is something I would care about. Further research would help determine the risk, often defined as "Risk = Threat x Vulnerability x Impact" and then the business cost has to be weighed as well.
You would have to go through the same process for each of the 9 security vulnerabilities that were fixed in the past 2 years to determine if you needed to upgrade or not. And then all your systems would have to be thoroughly tested to make sure the ugprade doesn't break anything.
But I still believe my original statement was accurate: "If you didn't update openssl in more than 2 years you were missing many vulnerability fixes."
