While sibling comment is correct about the discussion I do have a few VPS I've had around for a while (<5 years with only password based SSH too because keys are annoying asf to manage when you're like, on your phone trying to do something etc) and I barely ever upgrade those and everything seems fine. They have DNS pointed at them too so it's not like they're secret in any way.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.
What's difficult about managing keys? I use key login with termux and if anything it's easier because typing passwords (or anything) on a phone is tedious.
Agree in general that people wildly overestimate the risk leaving things alone. e.g. nginx hasn't had a security advisory affecting basic http 1.1 serving static content without TLS in many years. And of course desktops are behind stateful firewalls.
For me a big appeal of having a "home" environment on a VPS is that I can just do useful things from any computer-like device, that's not really possible with keys. Rather than fucking around with keys I can just SSH in from wherever and roll the password when I'm done. High entropy non shared passwords are just fine, you'll get your IP timed out after a couple attempts, nobody is throwing a botnet at bruteforcing my pass.
I understand that auto updates aren't ideal, because they cause breakage (most of my systems dont auto update), but I don't get not updating your systems at all.
I suspect it's because I don't use many common software packages so the attack surface is small-ish.