Well if you're adding new dependencies you're already doing new maintenance work and this is a while different ballgame than just to keep what you have working.
Yes and no. In practice sooner or later you need to update something - you need it to work with a new OS/database/TLS algorithm - and then often there's a domino effect.