YMMV
Not in this case.
People who use PHP 4.4.4 for stability reasons have not been offered a security update, and need to patch PHP manually.
PHP 5.1 was dumped, and people who wanted the latest security fixes had to upgrade to 5.2 or roll their own security fixes.
Perhaps this is hard to believe if -- as is evidently your situation -- you aren't in a position where you have to pay attention to security updates of core modules such as PHP, but trust me, this
is a core problem with PHP, and no, your mileage does not vary.
If you, however, should be in the situation where you need to administer computers and maintain software,
Secunia is one of several pretty decent sources for disclosed vulnerabilities.
Here's the writeup for the htmlentities() and htmlspecialchars() remote system access vulnerability in
all versions prior to 5.2.0:
http://secunia.com/advisories/22653/There are also two currently unpatched but disclosed vulnerabilities:
http://secunia.com/product/5768/?task=advisoriesWe expect to see a whole lot more disclosed vulnerabilities in January.