Well as far as the kernel goes you could be maintaining it 'correctly' even if you don't upgrade the kernel to take care of security problems.
You know the security problems are only problems if they are actual problems. Like for isntance there was a advisory with iptables in a kernel that would require a kernel upgrade to fix, but if you don't use iptables on that machine then what does it matter? Same thing with the advisories about SMB drivers being flaky.. why does that matter if your using CIFS drivers, which do the same thing?
Of course some kernel advisorise can't be ignored. 1200+ days is a long time... but it all depends on the actual machine and what it is being used for.
On the other hand, if you can easily absorb the downtime, then it makes things a lot simplier if you just use the latest packages of whatever you have, just as long as you know it all works first.
were I work we have a couple machines that haven't be down/rebooted since febuary 2002. But the majority of them have been rebooted at least once this year. Not much is needed on the weekends, so it's fairly simple to scedual some downtime to get kernel security updates applied.