First, upgrading is not so complicated. If systems can be brought offline for upgrade, the upgrade scripts take care of everything except /etc and /var changes, and then the sysmerge(8) tool automates most if not all of those.
The upgrade guides describe the changes in detail
so that you are informed of what has changed architecturally and can make appropriate decisions, as necessary, for new or changed functionality.
Second, upgrading at least once per year is required if you wish to run on a supported OS. The
"security fixes" you mention
are only backported one release. When 5.1 is released on 1 May, support for 4.9 will drop. The 4.7 system you installed in 2010, if you did not upgrade, is already unsupported.
Since upgrading two releases at once is the same effort as upgrading twice, the only reason not to upgrade twice per year is to avoid a single scheduled outage. But if you apply patches or use -stable, it is likely you are already scheduling reboots more than once per year.
---
I'm a -current user, and I upgrade my -current systems at least twice per month. I will upgrade more frequently if there has just been some interesting feature or patch committed which I would like to test.