The Joomla 3.7 release added new features AND 8 (eight) low-level security patches.
What they should have done, was to release 3.6.6 with all of the security patches as a ‘security’ release. Then, after the dust settles, release v3.7.0 with the new functionality. They combined both “security” and “new functionality” into the 3.7 release. To me, it seems they should have pushed the security patches into 3.6.6 and then the new features into 3.7, rather than a combination.
The result is a scramble in the Joomla community where everyone rushes to install version 3.7 because it contains security patches. Then, another scramble to install 3.7.1 because 3.7.0 had a new security issue. It seems like a racket, no?
For me, I had just recently patched a few clients up to Joomla 3.6.5, and when the 3.7 update came out, we collectively waited waited. Luckily, too, because the 3.7 patch broke some 3rd party extensions:
As you can see, the RISK of applying a “security patch” can be the NEXT security patch coming down the pike. Patching a site, particularly if the site is LIVE on the internet, can be a stressful experience.