"Auto-updates would create a single point of failure that could cause a malicious update to quickly spread to a supermajority of nodes on the network. As such, manual action must be taken by node operators to keep their node software up to date."
"In 2015, 2016, and 2017 most of these node operators are updating their software twice a year, with each new major release. In 2018 more node operators are slowing down and only updating their node annually."
"When looking at the lifecycle of nodes that are updated to minor releases, unsurprisingly it looks like their node operators are updating even more frequently; often more than every 6 months. This makes sense, as minor releases tend to be published between major releases."
"I suspect that the increase in lag time for node operators to update is the same reason of why we see node counts higher in recent years: the rise in user friendly plug and play node hardware and software. That is: there are a higher number of less technical node operators now and they aren't quite as enthusiastic about updating the software on their node machines."
"Before July 2018 it generally took 1 year for 95% of node operators to update their software. But after 2018 it doubled to 2 years. And it's entirely possible that we're now in an era of it taking 3 years for 95% of node operators to update!"
"While we shouldn't change nodes to auto-update their software since it would greatly weaken Bitcoin's security model, I do suspect we can improve the awareness of node operators."
"It's not considered safe to run Bitcoin Core releases that are more than 18 months old, as they may have unpatched vulnerabilities. If a significant number of nodes are running very old, unpatched software, it could pose a systemic risk to the network."