Security and bugfixes, after one or two rounds of testing by early adopters/key users. Preferably through some form of automatic updates.

New features and breaking changes, or anything that requires the end-user to pay attention, I’d say no more than 4 times a year, and using a non-automatic form of update. The hard thing is getting the user’s attention on the changes, and not just clicking next and then having a broken or insecure installation.

KeePass. Putting your passwords on someone else’s webserver is just asking for trouble.