Two full years for an evergreen web browser, which contains probably the largest surface area for software exploits of anything on the machine? I’d argue absolutely yes.
As others have echoed, this is probably a huge marker for malicious bots to Cloudflare.
The evergreen browser is a thing, but the idea that everyone can trivially upgrade those browsers is promulgated as true when it's a bit of a myth.
It is sometimes expensive for people to upgrade browsers, called evergreen by developers so they can avoid annoying support expenses for a few percent of people.
I had a phone running a Mozilla browser, which received updates until it didn't any more.
Then the only way to upgrade browser was to purchase a new smartphone.
Unfortunately it was a superb device with no newer replacement, so to upgrade browser I had to downgrade my smartphone for other uses, and pay the cost of an expensive new smartphone despite not really wanting one. But sites saw it as "you are running an old Firefox, you obviously can trivially upgrade".
I still have a perfectly great old Android tablet running an old version of Chrome which cannot be updated. Other than website compatibility, everything on it that it is used for is still working flawlessly. Perfect screen, sound, wifi, memory, battery.
For now, enough sites work on it that I still use it. That can be replaced easily with another tablet, but it is disappointing to have to spend cash and throw away a working product to e-waste, just to replace it with a functionally identical device because of the way the software treadmill works. (It doesn't have to work like that, it's a choice made by developers collectively.)
Yes, plus one of FF's upgrade slipped in the change that ignored your setting on "allow unsigned extensions" which broke a vital UX app I had been maintaining after it got abandoned (pentadactyl: I had gotten so used to clicking links from the keyboard that it was really frustrating when I suddenly couldn't; fortunately there have been similar projects since that carried the torch).
I mean, they said they gave long notice for the change, but I didn't think that a browser that "empowered users" and "gave them control of their machines" would ever do that. I mean, if every change has to be approved by Mozilla, why not just shrink wrap the browser and make me get it from Microsoft at Best Buy?
Between the huge and complex attack surface and being exposed to a huge number of untrusted websites, running a browser without security updates is pretty risky. So I'd call any unsupported browser "severely outdated".
Long term support (ESR) Firefox releases are supported for about 15 months from release. And even that means using a major version that old, not a point version that old. Firefox 57 wasn't even an ESR, so it went out of support a couple of months after release.
https://www.mozilla.org/en-US/firefox/57.0/releasenotes/