Well, if you haven't fixed CVE-2015-3864, CVE-2015-3876 and CVE-2015-6602 chances are you are still vulnerable by visiting a wrong web page.

Just look at the monthly security fix notes. There are critical vulnerabilities getting fixed every month.

Here are more critical ones: CVE-2017-0764, CVE-2017-0756 from the September patchlevel that also affects Android 4.4.4. See https://source.android.com/security/bulletin/2017-09-01

In August 2017, three more. In July one. In May another two. Still not convinced?