Unless you code doesn't speak to a network or any untrusted user. But people are making software that fits this criteria less and less often.

The need for security update is largely due to poor development practices where safe and unsafe code is mixed together, lots of dependencies with unclear provenance and quality, etc.

We had a recipe for a much stabler stack decades ago: separate runtime (might need to be patched regularly) from a high-level business logic (never needs to be patched if done properly).

E.g. old way of developing web front-end was like that: you code directly in JS. It never needs to be patched, only browser needs to be patched.

Same thing with Excel/VBA, etc.

But new devs don't know any of that, they just want to use latest "framework" which pre-installs whole bunch of vulns. And if there's a patch you need to rebuild. Constant churn just to satisfy the trend

Some things just don’t have security issues found regularly