I think vulnerabilities in old versions are mostly ddos types so as long as those older versions are under 50% or so of the entire ecosystem it’s a net positive to have them… in the case there’s a bug/vulnerability that takes down only the newer versions. That’s what I’ve heard stated in technical podcasts.