TL;DR (You can skip this and go directly to the bottom)
security patch is always first priority.
Until I realized
No matter how long, how much revision made over and over everything will never be perfect.
however, every new upgrade most likely old themes/plug-ins & such won't work in new version, this is the most problematic & dilemma for everyone, specially for general user that didn't know basic at all.
these what I do every upgrade (and probably anyone else who use WP for their site)
- Test new version with Theme/Plugins
- if everything screw up, check on theme/plugins provider
- if there's update, test it again, if they don't provide anything (project stop/delay/or provider didn't bother at all) then check on alternatives.
- worst case if there's no alternatives, change everything.
Result: Whole new design/concept
Some developers I know are quit update their themes/plugins for WP already because they can't update frequently.
For big sites which use WP as a core, some of them didn't even bother to upgrade at all since everything is custom, instead they only patch/fix security hole. (Okay this might not entirely true, just happen to few site that my friend manage since he is a web developer)
Back in the past, when blogging is still "new" and "booming", people often ask me for advice, and I recommend them to use WP, but most people use it give up after 1 year, the longest is 2 years. Most reason why they close their account is because they can't maintain it. Sure there's auto-update in most Control Panel, but it's for engine only, not make-up's. So now, if anyone still ask advice for blogging I just recommend them using WordPress.com and redirect their domain to their blog on WordPress.com
Sorry for long story =)
For Localhost testing, personally I use Xampp, because I'm working under windows OS and it can be use for any other apps Php/Sql apps, btw it also had Mac OS and Linux version.