Windows XP was not audited, and it's been full of bugs since day one, with new vulnerabilities every month, year after year. And it has a huge attack surface. That's hardly comparable to TrueCrypt.

TrueCrypt WAS audited and yes there is a risk of some serious vulnerability being found in the future, but at least we know there's none known for now (not publicly, at least).

That same risk, that some serious vulnerability could be found in the future, also affects all other existing encryption products, since none have been formally demonstrated to be secure.

If I can migrate today to a different product, then I can just prepare to migrate in the future but stay with TrueCrypt until such vulnerability is found, if it ever is. There is, after all, the possibility that none will be found, and it's more likely that none will be found in TrueCrypt than it is in other non-audited products. Why should I switch now?

And why would it be better today to use a product that has not been audited so far but is supposedly still being supported, instead of using one that HAS been audited even if it has been abandoned? Furthermore, currently supported products could be abandoned tomorrow too, or worse: their support could be deficient in the future.

I acknowledge that your argument has some well known heavyweights backing it. Bruce Schneier mentioned this risk about TrueCrypt recently, and then he went to recommend some closed-source solution based on its creator's good vibes. Tom Ptacek also resorted to this newfangled "vibe" method in one of his comments in this very thread. I fail to see the point in all this. Maybe I'm missing something, but I find such reasonings specious.

Edit: grammar.

I never said "don't use TrueCrypt". I'm just explaining why they posted that message. They said "this product will likely have unpatched vulnerabilities in the future" because it will likely have unpatched vulnerabilities in the future. It's unsupported, and using unsupported security software is really bad practice.

Use TrueCrypt, it's probably pretty secure still. A year from now, I might not be able to say the same thing. Two years from now will be even worse. It will get harder and harder to keep recommending it as time goes on and it hasn't been updated. But if anyone is wondering why they posted that message, it's not cryptic. It's just forward-compatibility. Eventually there will be a vulnerability, and it will not be patched.

Repeating a flawed argument does not make it more logical. See my comment above, repeat as necessary.

What do you mean a flawed argument? I'm not arguing anything. I'm explaining why they posted that message. If you want it to be easier to understand, imagine they said "It might not be 2015 anymore". "It's not 2015" is not a true statement, but in a matter of time it will be true. They literally never need to update that text. It's either still 2015 or it is not 2015 anymore. TrueCrypt is either still secure or it is not secure anymore. Either way, the statement "TrueCrypt may not be secure anymore" will always be valid.

If you think TrueCrypt will remain secure forever just because it's been verified as secure in the past, remember that there was a time when computers could not crack a MD5 code. When SHA-1 was considered secure.

I'm not arguing anything, just pointing out the obvious. Secure software today does not mean secure software tomorrow, especially if the software is not getting regular security updates. There is objectively no flaw in that statement.

I just couldn't bring myself to use close source drive encryption software.