A recent report released by the Sans Institute finds that unpatched client side applications are a major security risk. It came in at number one.
The main issue with unpatched applications is that hackers devote special attention to known security flaws in widely used applications, like Microsoft Office and Quicktime. The manufacturers know this and continually issue updates to deal with the identified risks. But if the users don't install those updates, their systems remain at risk.
Maintaining regular and up to date applications patches is a crucial aspect of good control and security. Most administrators realize this, but not everyone has an effective program for patch management. See this article in CIO.com.