How often to upgrade PHP & MySQL

I'd agree with the 4/6 week update pattern, as you are hosting an important service, the chance of somebody abusing a bug in either PHP or MySQL is larger than someone hosting a smaller service.

As a rule, for MySQL, unless you're looking for particular functionality implemented in a new version, there's no real need to upgrade between minor versions unless a security vulnerability is fixed. Even then, if your server is correctly configured, MySQL should not be listening on a public interface anyway, and additionally should be firewalled off from outside access, so any security vulnerability should effectively have zero effect on you.

Similar scenario for PHP. You only really need to install new modules as required, or perform a complete update in the event that a security vulnerability is fixed. In any case, you're far more likely to be hacked through an incorrectly configured php.ini file (and subsequently a hole in a piece of sloppy code which makes use of this misconfiguration, for example, opening a URL as a file) than you would through a vulnerability in PHP itself, since these are fairly uncommon.

I think a 4-6 week update cycle is a bit too often to be worth it. Rather look at upgrading PHP / MySQL every 4-6 months, and rather focus on upgrading the individual web applications, as these will have fixes pertaining to security issues far more regularly. I suggest subscribing to some security bulletins, and upgrading your web applications as soon as there are fixes available, never waiting more than a few days after a security issue has been identified and fixed.

Most importantly, you should look at incorporating this update cycle into your company's policy and procedure documents. It's always so easy to let updates slide when there are seemingly more important things on the go.