Our current policy is indeed to fix the cordova/phonegap plugin versions, and only bump them in case of a clear need (e.g. a bug report). This way, we can ensure consistent behavior over time. The downside is of course that bug fixes and new features in those plugins do not make it to your Mendix hybrid app, unless you update the config.xml manually.
Some plugins have been upgraded to the latest version, over the past few months. Others are lagging behind quite a bit. My advice for now would be to only upgrade in case of a real need. I'll see if we can go through the list and update the default versions to their (near-)latest values sometime soon.
By the way, it is my understanding that for any configuration in the config.xml, the last value is used. You might be able to use this mechanism by specifying newer plugin versions in the custom configuration block, as these will be added to the end of the file. However, I have not tried this out yet...