Critical is very subjective. You say you haven't observed any service problems, but also it depends on what you do with Splunk, how your Splunk processes are exposed, and what your organization classifies as critical. You may want to evaluate notices posted on the Splunk Security Portal for a number of notices on versions between 6.2.1 and 6.2.5.
You may also want to review the Release notes for each version. For example here's a link to 6.2.5's notes, and the others can be found on links near there.
Thanks for the details. In terms of must do an upgrade is what Im suppose to say. Have a great day!