If you are very well firewalled and trust all the local users you might get away with ignoring security updates but it's mostly a matter of luck. With the stock CentOS components, your downtime for an update is normally just a reboot and problems are extremely rare. If you'd added custom or 3rd party code items there's a somewhat greater risk, but it is still pretty unlikely that an update would break things - or that you wouldn't have heard about other people having a problem.
That's just not always correct. Again, a sec update that is not applicable doesn't make sense to update to, and there many other circumstances to.
Ironically, I broke this very box once by updating it. I had expected to have had to update DAHDI as it builds against the kernel, but something I never figured out become not compatible with the version of asterisk. It seg faulted every time I tried to start it.
I ended up enabling the ast repo and updating asterisk as well after and it started fine. But it cost me a couple hours, and there was no fscking need to update. It's even firewalled from the local users. I wasted a bunch of time for nothing...
YMMV, jlc