While I agree that this is an issue, it is not necessarily an error.
Apple typically does not update Apache, Postgres, Postfix, etc. in their server updates. Those get updated alongside 10.9->10.10 OS X upgrades, or Server.app 3.x->4.0 updates.
The only exception to that process that I'm aware of is Apple updating Postgres when they went to Server.app 4.1.
If you manually update these open-source packages, you run the risk of breaking the Server.app's GUI controls. Apple has usually done some rather significant under-the-hood modifications of the off-the-shelf open-source packages.
If this is a problem for you/your company, you should consider switching server OS platforms to one that receives more frequent and timely updates to address security vulnerabilities.
If you'd like some specific recommendations or have additional questions, please don't hesitate to reach out to me privately.