We shouldn't lag too much from upstream, a lot of security fixes are always added and piwik.wikimedia.org is exposed to the Internet (even if behind CAS).
Today Razzi and I looked into this. We upgraded to Matomo 3.14.1. However, http://debian.matomo.org/ and https://github.com/matomo-org/matomo-package/issues/131. Matomo is not maintaining debian packages anymore beyond 3.14.1.
It'd likely be good to upgrade to Matomo 4+, but that will be more work than we are currently able to put towards it. We'll discuss as a team what to do. Resolving this task for now.
I think that we should open a separate task to fork https://github.com/matomo-org/matomo-package/tree/master/debian in a separate gerrit repo and try to upgrade to 4.x in the future. Upstream often advertises medium to high security vulnerabilities (we are protected by CAS but it is still a UI in our network exposed to the public etc..) and it is really easy to forget about checking Matomo every now and then (I've done it in the past multiple times :D).
It would be a good Debian exercise for @razzi or anybody else that wants to work on packaging, and I can help in case DE is busy with other projects.