Just because something is no longer supported upstream does not mean that the distributions won't support it anymore.

As far as I can tell it is more likely the package maintainers will backport fixes to their old version in those cases.

Sure, package maintainers may backport fixes to their old versions. But they need to fully understand all upstream source code and follow all commits. Otherwise they can miss important fixes: following only security fixes for supported branches is not enough. Sometimes project developers fixes bug/security problem in the code, but doesn't flag it as CVE because current code usage doesn't trigger it. But code in old branch could.

That's the current reality. That's how it was for years. Especially CentOS and other RH-based systems are more happy to patch than to upgrade. This caused the kernel 2.6.32-573 situation where lots of patches (over a hundred?) were applied by the distro.

>Sure, package maintainers may backport fixes to their old versions. But they need to fully understand all upstream source code and follow all commits.

Only if they need to do a perfect job. But as history tells us they are just as content of making a ho-hum job.

That's still more than six months away though.