The internet is a hostile environment, when you operate internet based services all of the system components are subject to the key question of risk management. This applies across the entire architecture including the operating system, the system services and the application environment. All client partners including those providing development and hosting services, have their role to play in ensuring a secure and updated environment in which to operate client internet services.
Maintaining a secure and updated environment mitigates risk on two levels and is a fundamental requirement of internet operations. As the client, the organisation should expect that all partners will perform their roles in order to protect the integrity and reputation of the clients internet services as far as possible within operational boundaries.
Focusing on the application environment which falls under the developer’s remit, maintaining the security level of a content management system (CMS) environment is not an enhanced service, it is a fundamental requirement that all CMS components which exhibit security issues are updated to protect a CMS driven website from released vulnerabilities.
Frequently one of the key objectives of the clients website is the use of a CMS and community contributed modules to reduce development costs, these components are generally actively updated by their developers. Applying these updates, which contain bug fixes and new functionality assists the development process by reducing the time spent on fault fixing issues that have been fixed by the original developers in their updated modules.
There will always be exceptions and custom modules are excluded as these contain proprietary code and any vulnerabilities in this code are an unknown element. You would expect the development partner to provide a secure and updated environment as part of their core service offering.
Is this a reasonable expectation or not, you decide?