My biggest gripe with tools like Drupal (& WP and other FOSS CMS like things) is that updating them often seems to break things. You have a custom layout and upgrade? Shit breaks. Have some custom plugins? Shit breaks. After the first couple of updates, your client no longer wants to pay you to fix things after an upgrade, so you stop upgrading. Inevitably a remotely executable flaw is found, and you're now fucked.
While I do agree, Drupal does publish just the patch for these critical updates for both D7 and D8. You can patch an old version of the site pretty quickly without upgrading or working back in the inevitable core hacks. Each of the big 3 Drupal fixes have been maybe 30 lines of code across 3 or so files, IIRC.
Now if they aren't willing to even pay for that minimal level of service I have little sympathy.
There are so many people out there who pay someone 500eur/usd for a simple drupal website, and then expect to pay maybe 50/year for hosting, but are entirely unwilling to pay for anything else. After all, they can get dirt cheap hosting or free wordpress sites all over the internet, so paying anything at all makes them seem like a good customer.
You get what you pay for. Unfortunately, many of those unpatched websites end up causing trouble for others...
