If the organization is mandated by regulation, e.g. PCI, then it’s a no brainer.
What if the is no regulation and system is stable?
At this point, it depends on risk tolerance.
Review Oracle Critical Patch Update Advisory – October 2016 and search for Oracle Database Server Risk Matrix.
This example is for Oracle Database Server and please search accordingly for the required components.
Remote Exploit without Auth.? NO for all except Application Express
How much time is spent assessing risk and is it more efficient to spend the time patching?
It all boils down to time and tolerance.