The Drupal and Joomla projects are both open source collaborations which release periodic updates to the codebase. You should always keep the code updated to the latest stable version that has been released since they often include security updates in addition to new features or bug fixes. (Keep in mind that you should be tracking and updating both the core code as well as any contributed extensions/modules that you may be using.)

We received a call recently from a group who had a Joomla site that was hacked. It turns out that one of their staff members had an insecure password and the hackers obtained the password, giving them direct access to the administration pages. Another way that hackers will sometimes try to compromise your site is to try to directly access insecure code from components or modules that haven't been updated. I thought it might be useful to post a quick security tip for non-profits that are running Joomla!