Hi guys!
So I’m wondering if it’s stupid to not update a theme, purely from a security point of view. As long as one keeps all plugins up to date, will the website still become more and more vulnerable to intruders as time goes on?
Can there be security holes in the theme itself?
Can themes have security holes? Yes they can.
If it was built properly by using best coding and security practices you will not have any security holes, but that’s a big if. 
All softwares should be kept upto date. Themes as well.
Funny you should ask. Around this exact time last year a MAJOR security loophole was discovered across a tremendous amount of reputable themes. I don’t recall the specific but it had to do with .xml inject attacks I think.
I had a client who’s host had completely shutdown their website, because they did not update their theme and a virus was installed on their site. (It’s why they hired me–to get their site back up and running)
So yes, there can be scary, site breaking, host isolating loopholes in themes–even ones that follow best practices. But when the loopholes are discovered, the WordPress community is second to none in getting them patched up and restoring security–so yes you should definitely keep your theme up to date.
Wow, I didn’t think it could be that bad! Thanks for your answer!