Ahh, I see. Very good.
I would (and do) keep my OS updated. Some of the updates fix vulnerabilities.
We've tried to make it so that if the online computer is totally under the control of an attacker, there's still minimal risk to the offline computer. You obviously want the online computer to be free of malware, and so you should take preventative measures, but it's still the offline computer that matters. And the attack surface is pretty slim.
People have asked if the offline computer should be updated with OS updates, etc. My attitude on this is: if you are going to keep the offline computer updated, you are introducing far more risk than you are reducing: you will be regularly transferring data from your potentially-compromised online system, and executing it with root privileges on your offline computer (to install the updates). This seems to introduce a recurring (weekly?) channel for remote, root execution by the online computer to the offline computer. Even without a fancy USB virus, this could be exploited with someone pushing a coin-stealing chunk of code into a system library/service update silently. It doesn't have to persist for long to compromise a lot of people who are diligent about updating their offline computer.
Personally, I'd feel safer using a version of Linux/Ubuntu that has been around for a while (perhaps before Bitcoin was worth $billions), and has a well-known verifiable CD/DVD hash. I believe the attack vector of such an OS--even if there are known vulnerabilities--is far smaller than having users regularly execute code transferred from their online computer with root privileges.
Also, updates can also introduce vulnerabilities. It might be the case that vulnerabilities are reduced on average, but if you are updating software with all sorts of new features, you might actually be adding more vulnerabilities than you are fixing.