The fact remains that vBulletin v3.whatever-it-is has known vulnerabilities; I've heard, on the other forum where I hang out, of a third forum which took the "if it ain't broke, don't fix it" attitude, only to learn (the hard way) that it
was broke — badly.
They were thus forced to upgrade, simply to salvage what they could from the attack; but there was much that was lost forever.
If a forum is left running old insecure software, something like that happening is a matter of "when", not "if".