If this is based on a popular distro, maybe; but if you wanted to loosen up a Linux box, you can build a freak from pieces that no one would find lineage for, much less a repo.
Why sit around replacing packages by hand when you're not really learning anything? The best fix for a system like this is to nuke it from orbit and reinstall. I mean, odds are, you'll miss something, and then spent hours fooling around after getting hacked, when you could have just spent your time concentrating on what's important: saving relevant data and configuration, reinstalling, and securing the updated configuration.
Riiight, downloading individual packages, libraries and kernels and building them from source. Which is why I thought it would be a good exercise, however very boring.
Running a Bastille script on the box would give you a quick TODO list. Pushing it to "production" and getting a few servers up and running, across version incompatibilities, would prove a bit more interesting. Running it under an older 2.4.x or 2.2.x kernel, doubly so.
I have spent hundreds if not thousands of hours upgrading random packages in Linux for various reasons. Afterwards, I didn't feel any wiser in security or anything except how to build stuff (well, maybe a bit of systems stuff...).
If upgrading is main task here, what do you really learn? If upgrading isn't the main task here, what is?