I find it incredible that people set up a Joomla site and once running they seem to assume that it will continue to run safely for ever more! Every day in this forum we see people using Joomla versions with known critical security issues, just waiting for a hacker to come along. That is the last thing you want on a working eCommerce website!
At the time of writing here the only known secure version of Joomla 2.5 is J2.5.14 - all previous versions have critical security issues.
It is easy to keep up with the security status of Joomla - just subscribe to http://feeds.joomla.org/JoomlaSecurityNews
For vulnerabilities in Joomla extensions subscribe to this feed: http://feeds.joomla.org/JoomlaSecurityVulnerableExtensions
For security and new reports of VirtueMart subscribe to http://feeds2.feedburner.com/VirtuemartNews
or regulary visit http://virtuemart.net/news/list-all-news
where you can also sign up to have the VM news items emailed to you when released.