Funny you should ask. Around this exact time last year a MAJOR security loophole was discovered across a tremendous amount of reputable themes. I don’t recall the specific but it had to do with .xml inject attacks I think.
I had a client who’s host had completely shutdown their website, because they did not update their theme and a virus was installed on their site. (It’s why they hired me–to get their site back up and running)
So yes, there can be scary, site breaking, host isolating loopholes in themes–even ones that follow best practices. But when the loopholes are discovered, the WordPress community is second to none in getting them patched up and restoring security–so yes you should definitely keep your theme up to date.