While I believe that proactive security practice is necessary for every consumers, the most conversave ones should argue that even a security update will possibly break compablity.

Now I am in trouble. With rsync 2.5.5 installed on a FreeBSD system, we know that it is possible to overflow its heap, however, shall we patch it, or just let it as-is because it is not exploitable on FreeBSD, unlike Linux’s silly brk(9) implementation?

Not sure, but I do not completely agree with the leave 2.5.5 as-is idea. Personally I’d deprecate the idea, because a tested security update (proven to be non-breaking change), should be deployed as soon as possible. It is possible that our system is not vulnerable today, but nobody can guarantee there is or is not possible security problems until the code is completely reviewed.