I don’t really like this. If my project has one dependency that is one year behind, that’s the same measure as if I have 52 dependencies that are all only one week behind.
As a general indicator, this might be interesting, but it is not useful in determining anything about a piece of software.
You also might want to remain behind, if you support old versions of a runtime, and you shouldn’t be penalized for that. As long as you haven’t missed any security updates, you’re fine.