Update is clearly the better option. Though reading about the iPad 2 being potentially compromised by BroadPwn, I have suggested my friend get a newer second hand iPad, considering once I update and get the ipad running my friend will return to his mum who will continue to use and let her grandchildren use.
I'm more concerned that my friend and his families personal details will be stored on the iPad once it is updated and then they take the ipad with them when they go out shopping etc, where there is higher risk of getting the iPads Wi-Fi compromised, particularly since a credit card is needed to use an Apple ID. His mum had been told by a phone repair shop that they could 'fix' the disabled ipad for $30, which I could do for free, though the shop attendant might have failed to advise about the potential increased risk of security vulnerability.
I think it could be potentially dangerous if the ipad could be remotely controlled in an attempt to exploit their private information, which I imagine could then be sent in emails on the ipad to the 'hacker' to allow further exploiting icloud or apple id accounts oreven banking information etc.