Not Every Component Needs To Be at The Latest Version
It makes sense to me have ClamAV and SpamAssassin be quickly updated within Zimbra when ClamAV and SA are updated themselves. These packages directly impact the end user experience, and with the overwhelming majority of email traffic comprising spam, bots and viruses, these two packages stand out as ones Zimbra ought to be updating ASAP, IMHO.
Re Apache, Cyrus, Postfix and MySQL, I believe we should get security updates ASAP, but we don't need version updates unless there is a major functionality improvement (anvil in postfix comes to mind as worthy of justifying a version upgrade).
Since Zimbra insists on installing its own version of components normally supplied by a distro, Zimba to me is kind of like a mini-distro. Consequently, I think Zimbra have a responsibility to keep their "distro" as secure as possible, just as Fedore, SuSE, etc. keep the components of their distro up to date with security updates on a timely basis.
All the best,
I opened a bug (RFE) for this...
Please vote if you want to see out-of-cycle updates for clamav/spamassassin/etc.