Yea, it depends on the software in question.
Personally anything that can be used as an attack vector I prefer to have the latest version of, unless there are known exploits in the latest version.
Or just switch to something that's already secure by default, like replacing sudo for doas for example.
Though it's not always possible, for example replacing OpenSSL for LibreSSL will break lots of Linux soft that rely on it.

> I think i2pd itself is (was?) unstable. In the past I had it segfaulted every after a while on other distro (not Debian-based) too. But on Debian I have switched to their upstream binary since I experienced those bugs.

Thanks for proving my point.
Yes, I know that i2pd isn't often breaking on specific distro's, like it was working fine on Devuan, Artix, and kind of OK-ish on OpenBSD on version 2.44, but on FreeBSD it would crash all the time.
2.45 would crash if you have UPnP enabled, which I know because I even had the very guy who fixed that bug in my IRC server at the time, and 2.45.1 had an exploit that allowed the entire network to get DDoS'd.