Given a general mandate for at least some level of backwards compatibility among package maintainers, I've seen very few bugs introduced by updating. Most of the ones I can think of (
dmap moving to purrrlyr, dbplyr getting split out from dplyr) were really just relocations that didn't require significant changes to code (though the former was a sort of deprecation). Even when things are deprecated, they tend to stay that way for a good while before they ever get removed, so updating is more likely to generate warnings than errors.
On the other hand, I have seen a lot of bugs that have been fixed by updates. If you're in a production environment, and just want your code to run when called in two years, sure, lock down an environment in a VM. If you're doing interactive exploration, though, there's little reason not to update. Even GitHub versions of most packages are usually reliable, as significant changes are typically tested in branches first.
There are a couple times you must update:
- If you're going to open a GitHub issue, always install the current development version first to check the bug hasn't already been fixed.
- If you're updating R itself, you should update your packages. Depending on your installation, R will make a new directory for packages anyway, so you either have to relink your old set or reinstall them. If you're going to relink, update and rebuild, or you'll likely get a lot of annoying warnings later to do so.
- If you're installing a new package and it's not working right, make sure its dependencies are updated.
The one caveat I'll add is that it's totally legitimate to wait to update a package that doesn't have a compiled version on CRAN yet for your OS. Sometimes building from source requires outside resources that can be a pain to wrangle (e.g. sf), so if you can afford to wait, your life will be a lot easier. When updating from CRAN, you should get a prompt that lets you say no before it tries to compile anything, though.
As for concrete numbers, I'd guess I update every week or so. I wouldn't look askance at updating every month or so. If it's been 6 months to a year for someone who uses R daily, I'd expect a good reason (and they do exist).