In general, I would consider packages that are directly exposed to the internet to be the ones I'm worried about as well as things that are indirectly exposed like AmavisD-New/ClamAV/SA/DSPAM because they are processing spam/virus/trojan emails.
Unless you are doing something funny with Zimbra, MySQL current shouldn't be an issue as there is no public exposure.
Although Postfix isn't current, I don't think any of those releases included security updates, I think they are just normal feature/bug fix updates. I have a lot of confidence in Postfix because it's security track record speaks for itself.
Apache/PHP/A-Spell seems lower risk because of the very limited nature of what you are *supposed* to be doing with that.
Just because there is a vulnerability in a package doesn't mean that you are exposed. It really depends on how the package is being used. So, for example, even though PHP is not current and there are security updates for PHP, I don't think that Zimbra is affected by those because of how it is used.