Jason's comments here are good and I'll elaborate a bit.
We rely on Debian's provided versions of the majority of our software. Debian has a general policy to not do major software version updates within a release of the distribution. They do that for stability reasons. Upgrading any installed software on any of our servers has the potential to break some number of existing websites. For all of the people who want the latest and greatest version of some software, there are probably 10 other people who just want their website to work and continue working.
That said, we do maintain quite a lot of our own custom Debian packages (several hundred) and we do install some from the Debian backports.org project sometimes. Every package we maintain ourselves requires us to do all of the work for that package including all security updates. That work for a single package is not that big of a deal, but it can add up very fast.
We have found that the vast majority of users do not need the additional features of the latest versions of most packages so it is not worth the extra time and effort required to maintain those packages ourselves most of the time. We did just recently go 'off-road' and on our own for the python and ruby packages we have installed after a number of requests for those. We do pay attention to the suggestions. Those help us determine what things are most important to most of our users. If something is important enough to enough people, it is worth the effort to maintain and handle any possible website breakage.
We don't make any guarantees about what version of any particular software package we have installed. Our 'core' packages are things like Apache, which we use to host every website. We also maintain PHP ourselves and have added several non-default options at the request of our users.
Note that we are very flexible in what we allow our users to do. You are free and able to install your own updated versions of pretty much any software out there, if you have the necessary technical skills.
Also, regarding the security concerns, Debian applies security patches to older versions of software when there is a security problem rather than updating to a newer, potentially incompatible, version. We are very on top of security updates and is very unlikely that any software we have installed has any exploits. Things can fall through the cracks however, so we appreciate you contacting us if you do find any exploits.
- DreamHost Head Honcho/Founder