You may be required – for example by PCI compliance – to update your SSH server to plug some vulnerabilities that some dumb scanner has flagged. The fact is alot of these vulnerabilities are probably already patched as part of OS updates, but you may be required to do it for some other reason.