79% percent of the time, third-party libraries are never updated by developers after being included in a codebase. This is despite the fact that more than two thirds of fixes are minor and non-disruptive to the functionality of even the most complex software applications. The research also finds notable fluctuations in library popularity and vulnerability year over year. Four of the five most popular libraries in Ruby in 2019 were no longer in the top 10 in 2020, while some of the most vulnerable libraries in Go became less vulnerable in 2020 and vice versa.
Source: https://www.helpnetsecurity.com/2021/06/24/third-party-libraries/