It's a big deal, especially for small dev shops, as they're less likely to have people available to plug security holes or monitor servers for vulnerabilities/compromises. If you're using shared hosting, probably not an issue. If you're using a VPS, PS, or other service where you are expected to maintain the server, well...<p>For some systems, it's just a matter of logging in to the server and running a single command line, like "sudo yum update bash" (replace "yum" with apt-get, or another package manager).<p>You can leave it, but know that you're leaving your clients vulnerable to things such as:<p>- stolen data
- data loss
- compromised/corrupted/deleted backups of data, code
- site disruption
- botnet participation
- illegal file dump/trading space
- unremovable rootkits<p>Having said that, I believe you should be safe if you don't use CGI to run your apps.<p>The earlier you plug the holes, the better.