Here is a situation which I believe probably happens for more often then most developers or Drupal website owners would care to admit:
You log in to your Drupal site and see that ominous red (pink, actually) notification that your website needs security updates applied.
You wonder to yourself if you really need these particular Drupal security updates. Imagining how much effort it can be sometimes to test and deploy these updates properly, you decide to do them some other day.
I can sympathise, but if you're using the website publicly for anything at all, the Drupal security updates should not be considered optional. So the short answer to the main question here is "yes", it is absolutely necessary to apply updates for Drupal!
In a recent hack, "bad guys" were able to take over little brochure websites and send nasty emails across the internet. Now, your domain name could be identified as spam across the web.
Sure, we can often recover Drupal sites that have been hacked, but it is much more expensive than if you just stay up to date with security updates.