As I’ve stated previously, you do not NEED to upgrade your Joomla site, assuming you understand the risks involved. Security updates are released by the core Joomla development team only for the latest version, which means that older sites require manual patching. I might be an exception to the rule, however, because I am able to take an old Joomla 1.0 or 1.5 template and make it responsive. I can also build features likesliders and show-hide scripts by hand into an older site.
Since 2012, when Joomla 1.5 “end of life’d,” there has only been one or two instances when I had to apply a manual patch on my site.
Compare this to what would have happened if I upgraded to Joomla 2.5 and then 3.0… I would have had 26 patches to install on the 2.5 platform and more than 40 patches on the 3.0 platform. And that’s not counting the “migration” between 1.5 and 2.5, then 2.5 to 3.0… what a lot of busy work! And an expense for clients that would be paying by the hour...
Take, for example, the most recent Joomla 3.8 patches. Joomla 3.8.4 was released January 30, 2018. It contained a number of bug fixes and low level security patches. Then, a week later, they released Joomla 3.8.5… which according to the official Joomla announcement: Joomla 3.8.5 addresses regressions reported after the release of Joomla 3.8.4, including the revert of routing changes applied in Joomla 3.8.4 (emphasis added).
Looking ahead with the Joomla platform, it seems like the latest 3.x platform will include one-click upgrade capabilities for moving to 4.x and beyond, which is great compared to the migrations required of older versions. But for now, I’m perfectly happy with my trusty old Joomla 1.5 software. I still have plenty of clients who are using Joomla 1.0 which lost official Joomla support in 2009.