Hell, I ran into a Linux box recently at a friend's, on the Internet, running Red Hat 5.0. That's not RH*EL* 5.0 or Fedora 5.0, note: that's Red Hat 5.0. Genuine 1997 vintage 2.0.29-ish kernel and libc5 userspace IIRC, never upgraded. Said friend wasn't even aware it *could* be upgraded. And it was in use as a firewall.
So, no, this sort of thing is not unheard of in the least.
(I dislike automatic upgrades that you can't turn off, but automatic upgrades *by default* seem like a very good idea to me. People who don't know or care about security might be secure-by-default then.)