Yes and no, it depends.
When a security issue is fixed, it’s usually backported, so officially the answer is no, you don’t have to update to the latest major release.
However Backporting only goes back so far though, and you’ll eventually be left in the dark given enough time. This would take many years currently, but there have been a lot of discussions suggesting the current back-porting policy is too generous and creates too high a burden.
You also run into other problems, as plugins and themes may not be able to update themselves, and PHP updates from your host may not work well with older versions of WordPress. E.g. PHP 8.0 is best used with the latest versions of WordPress to avoid issues.
Ideally keep within 2 or so major versions of the current release, and always apply minor updates. This brings you in line with many enterprise WordPress hosts, and gives a little room for testing.
Remember, WordPress updates should not break your site. If a theme or plugin breaks due to an update that’s usually a warning sign that the plugin/theme is of poor quality. You can also look up the field guide posts in advance for new WordPress releases for breaking changes, so none of this should be a surprise. You should also be testing releases before applying them.