If you use PHP v5.4.4 on Windows or Mac then you are probably right, there probably are security bugs...

But in Debian (and many other Linux distros) instead of updating the version of software (which often creates incompatibility issues with software and/or system instability) the specific version stays frozen and security fixes are backported and applied. TurnKey Linux is configured to automatically download and install these security fixes as they are released.

If you look at the changlog for the PHP5 package in Debian 7 (Debian 7 aka Wheezy is the basis of TurnKey v13.x) you will see that when Debian 7 went stable it had 5.4.4-14+deb7u1 and it now has 5.4.4-14+deb7u8 (in otherwords the current version has been updated 8 times since the version was frozen at 5.4.4 - 7 times since Debian 7 has been 'stable').

Once security bugs are noted, they are usually fixed very quickly. There have been cases where the bugs where actually found by Debian devs and fixed in Debian before they were made public. Obviously that isn't always the case but the Debian security team take their job very seriously!

Having said that, if you really want to update it is possible, but it is not recommended. It will most likly make your server less secure and higer maintenence...