For actual commercial stuff (i.e. where there is real customer PII and/or financial data at stake), I think the only responsible approach is to keep to a supported version of Perl. That means released in the last 2 years (I believe), so it will get security patches. You'd then need to keep up with the latest sub-version in order to get those patches.

I'd say it's the same as keeping your OS patched, and I hope you do that too.