You may not. If your website serves primarily as an Internet-accessible brochure, you trust the maintainers to have good backups and you run regular scans to check for new vulnerabilities, then we wouldn’t recommend a security assessment.
If, however, your website provides some important business function, process automation, or customer service –then you probably do. This is why standards like PCI, HIPAA, COBIT, etc. require periodic security assessments. Web applications can be complex and typically involve multiple building blocks not authored by the application creator. With all these additional components and complexity comes inherent risk and an imperative to quantify that risk.