I finally began to get on top of Wordpress upgrades a few months ago, with an upgrade to 2.5.1. It worked well, but left me open to what looks like a failed attempt to exploit a cryptographic splicing vulnerability in Wordpress 2.5.x. I'm still checking database tables now.
In the mean time I've finally followed Tom's advice (which I didn't take when he volunteered it at the time) and upgraded Wordpress to a subversion checkout of 2.6+ . It was no more painful than the previous upgrade, and looks like being a much simpler procedure in future owing to subversion's interface for switching versions.