WordPress plugins are developed by tens of thousands of programmers participating in development of the WordPress framework and are made available to larger development community either free of charge or for a fee. When plugin developer releases a new version of a plugin, all WordPress sites that use that plugin automatically display a message that this particular plugin is available in newer version. The update notification verbiage is a bit misleading, as it states that your plugin is out of date and must be updated, which makes it sound like your website is not using secure, functional software. That is simply not true.
There are multiple reasons why plugin developers might release a new versions of a plugin. They might want to add new functionality; they might want to fix a bug, reported by one of the plugin users; or they might fix a major security flaw. We, for our part, do not use unproven plugins that have any reported issues associated with them, so when we release the site to client we're confident that plugins used do not represent immediate security threat to the site we just build.
WordPress plugins are updated by their developers on regular basis, sometimes once a week. New plugin functionality does not necessarily function better or even the same as the previous version of the same plugin - there are instances when simply updating a plugin can crush the site using that particular plugin. That is why we recommend making a complete backup of the site prior to updating plugins and making updates on development server first.