And that includes security issues; there's one notable vuln where a malicious server or custom map can execute arbitary code on clients. Reported that a few months ago, it's fixed in CS:GO and TF2, but other Valve games apparently aren't receiving fixes (Portal, Portal 2, Left 4 Dead, Left 4 Dead 2, Counter-Strike: Source, HL2DM...)

And that's not to mention the folks who license the Source engine from Valve, who I'm currently trying to contact en masse and get them to fix this (and many other security-critical issues). Apparently, Valve doesn't push security patches downstream to them...