Perhaps - but Apple has used very old core utilities for a very long time (licensing issues) but ensures they get security updates. Until recently, they used, what, bash from 2006?

There's no licensing issue with LibreSSL, nor any of the other ancient utilities from FreeBSD or elsewhere that Apple doesn't keep up-to-date.

There were issues with utilities that were using GPLv3. That is why they switched to Zsh instead of Bash for example.

If the old version has known security flaws it should be possible to exploit them, correct?

If those exploits don’t work perhaps Apple is playing dolly nuggets with the version number.

Nah, there are all sorts of missing features, some of which were added over a decade ago. With a few small exceptions and modifications much of the Unix base has been quite dead for a long time.

The suggestion being made is that bugs and vulnerabilities are being fixed without adding new features, in order to provide a safe but very stable feature set.

Well people (including me) are bashing Apple for this deviation. Also it has been a constant consideration when linking/shipping binaries in production. So I feel it is fine to bash Microsoft for doing the same thing.

Perhaps Microsoft has an ABI reason for doing so? I can't imagine why else.