These are good questions. The main issues are security and support.
In terms of support, most developers will only support back to so-many-versions. If something breaks, it’s probably on you to figure out a solution. For some, this will be a roadblock – for others, not so much. It really depends on “you”.
In terms of security, unless there is still a large userbase on your particular version of the plugin, it likely won’t get any security updates. This means you are responsible to be signed up for all the security site notifications and that you actively monitor them, as well. Also, using an audit log plugin will be an absolute must, just in case, as will be (IMO) daily backups. And, you’ll have to keep up with current developments of the current versions and keep your eyes peeled for any security-related items. In case it’s not clear: it’s a nightmare.
All that said, it’s important not to take this post as a suggestion to apply “better practices on top of bad practices”. The recommendation and best practice will always be:
Always update plugins and themes to their latest versions.
See, if there’s a “feature update”, then it’s not such a big deal to skip the update, but, if it’s a “security update”, then it behooves users to apply it. Unfortunately, as we have seen in the past, some developers have applied security patches without indicating that they were security-related which can cause some folks to think they don’t need the update when, in fact, they really do. On the other hand, I have my doubts that many people bother to read the changelog, anyway – so, generally speaking, users should just always be updating along with the plugin’s releases. For those who choose to run old plugins/themes, they do so at their own risk.