I had a lengthy email conversation with Brian Layman a few months ago about security issues in WordPress, and the need to motivate WordPress users (who more often than not are laymen [no pun intended] themselves) to upgrade. Brian is a bit desillusioned how security issues are handled by the WordPress core team. He compiled his research and his thoughts into a rather long post, which is a must-read for all WordPress users.
If you have not updated your WordPress, do so, and do it now! Brian has a very helpful script, that allows you to update WordPress in 35 seconds. What are you waiting for?