Most of the libraries defined in requirements.txt are very old and have been updated since. Using their latest version would improve the stability and security of the project. Note that some dependencies of used libraries have changed in the meantime.
The packages on production are installed by puppet and apt, so the versions are not arbitrary. We would need to upgrade the distros (which needs to happen pretty soonish anyways) in order to upgrade the packages. (Or @Halfak could you explain how the packages are installed for ORES?)
requirements.txt is only used for the testing environment (vargrant) and reflects that's being used on production.
For the record
framawiki@quarry-main-01:~$ /srv/venv/bin/pip freeze Flask==0.10.1 Jinja2==2.7.3 MarkupSafe==0.23 PyJWT==1.4.1 PyMySQL==0.6.2 PyYAML==3.11 SQLAlchemy==0.9.7 Werkzeug==0.9.6 amqp==1.4.5 anyjson==0.3.3 argparse==1.2.1 billiard==22.214.171.124 celery==3.1.13 httplib2==0.9 itsdangerous==0.24 kombu==3.0.21 mwoauth==0.2.8 oauthlib==1.1.2 pytz==2014.4 redis==2.10.1 requests==2.10.0 requests-oauthlib==0.6.2 six==1.10.0 translitcodec==0.3 unicodecsv==0.9.4 wsgiref==0.1.2