Do you trust package maintainers at Redhat/Debian/etc to properly backport security fixes to ancient branches? They don't exactly have a clean track record.
Look at the terribly old / EOL software in RHEL4 that is on "extended support" until 2017:
edit: I stumbled upon some ELSA advisories a few weeks ago where additional security updates needed to be released for Apache because the CVE for which they intended to backport a fix was not adequately patched.
That is terrifying. There's a reason why upstream doesn't release fixes for those old releases.
