For me, I had just recently patched a few clients up to Joomla 3.6.5, and when the 3.7 update came out, we collectively waited waited. Luckily, too, because the 3.7 patch broke some 3rd party extensions:
https://www.ijoomla.com/blog/updates-for-guru-and-ad-agency-are-now-available/
https://www.artio.net/support-forums/joomsef/community-support/joomsef-4/joomla-update-3-7-broke-joomsef
https://yootheme.com/support/question/108983
https://www.akeebabackup.com/home/news/1676-joomla-3-7-0-and-cli-scripts.html
As you can see, the RISK of applying a “security patch” can be the NEXT security patch coming down the pike. Patching a site, particularly if the site is LIVE on the internet, can be a stressful experience.