Interesting way to measure dependency freshness (and therefore some of the risk): libyear.com

Whatever measure is used, I feel people need to focus on this (and other elements of dependency risk) far more than is typically done.