> I’d be worried if close to 100% of the packages they included in bookworm hadn’t been updated in the roughly 2 years between releases.

Code doesn't "go bad" and not everything is affected by ecosystem churn and CVEs.

An established package not having updates for 2y is not in and of itself problematic.