Melpa is IMO fundamentally broken. It doesn't keep all versions of packages so pinning isn't really an option. The end result is that when two users install the same non trivial config the chance that they are running the same identical code is near zero. It's a nightmare for maintainers, with many bugs being not reproducible. Melpa-stable is supposed to be a solution for this, but few maintainers actually test their package with -stable dependencies, so the end result is that using melpa-stable is less stable than just running the latest of everything. I used to auto update my packages, most frustrating year of my life. Complete Russian roulette. With corgi we bundle a straight versions file which we auto install on first run. Every user runs the exact same code. Finally some degree of sanity.

yes not using straight.el nowadays is asking for trouble

It depends on the complexity of your setup – the number of packages you have, the packages themselves, etc. I never had any trouble by not using straight.el.

it's more work not to use imho 🙂 - my setup is quite simple. If you don't upgrade often, do not have to have the same config on multiple machines maybe you can somewhat justify not doing the effort, but even then I think it's worth upgrading, it's very a small amount of work for a lot of security/flexibility

Good point, it makes it easier to have a multiple machines setup. It’s not my case, but I can see how it can be useful for that, for example.