I wouldn't say it's insecure, but you may miss some important bug fixes.
Keep everything up to date if possible is always the best alternative.
On 2018-07-19, Benke, Tim wrote:
It’s intuitively clear to me that an outdated adapter communicating with a *newer*
adapter from the server itself.
What about the opposite case of a new backend adapter with version 4.0.0.Final and an
older Keycloak 3.4.3. Is this insecure? We’re considering this option to reduce the hassle
of updating keycloak itself and upgrading our custom theme.
keycloak-user mailing list