You need to update at least all the programs that face the Internet, or that receive data from the Internet.
But it is not always easy to know if a program can get data from the Internet.
For example, you ask about Word: you definitively need to update Word. Vulnerabilities in Word are actively exploited by criminals. For example, they send you e-mails with malicious Word attachments.
But I'm sorry to say, it gets even more complicated than that.
There are also exploits that use a vulnerability in one program but need a component of another program to succeed.
A common example is a vulnerability in a program, say Internet Explorer, that is not exploitable because of ASLR.
But assume you also have a version of Adobe Reader on your machine, that loads a DLL without ASLR support into several process, like Internet Explorer.
The exploit writer will then use this Adobe DLL to bypass ASLR and successfully exploit your machine.
So the vulnerability is in IE, not in Adobe Reader, but Adobe Reader is instrumental for the exploit.
Upgrading Adobe Reader (with this Adobe DLL now supporting ASLR) breaks the exploit.
So in a nutshell, it's best to patch all programs.
SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.
Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"