Does heroku ssh in for you and update your rails installation or other custom software? If not there's no way you should leave any software unattended for that length of time. Most java, python, ruby and php frameworks/apps will all have had vulns in that period for example. Also do they upgrade things like ruby without you redeploying?
What heroku buys you is not having to deal with updating the web server and database, as they'll deal with all of that, but I wasn't aware that they provide a fully managed service like say wordpress.com, and I don't see how they could for custom apps.
You don't need to ssh into the box to take care of Rails vulnerabilities; just redeploy. Heroku is taking care of any vulnerabilities in the rest of the stack: Postgres, Nginx, SSH, etc.
The thing is, that's actually the easy bit - use apt-get upgrade on say Ubuntu lts and you will very rarely see problems with your upgrade of software like Postgres, apache, ssh or nginx - it's so widely used that you're unlikely to run into issues, and upgrading takes a few minutes every few months.
The thing you need to test then deploy are upgrades to your language and framework/app, and those present exactly the same problem on heroku or on say a vps. You can't just redeploy your app without testing on a new config, and deploys to heroku are no easier or harder than deploys to your own server once set up.
What heroku buys you is not having to deal with updating the web server and database, as they'll deal with all of that, but I wasn't aware that they provide a fully managed service like say wordpress.com, and I don't see how they could for custom apps.