…and exactly that is the biggest issue affecting all of us. Bugs are attended quickly, in the maintained branches, but no one remembers the situation for older/ unmaintained branches. The older the respective branches get, the harder this becomes - and no one is really able to keep a correct timeframe in mind.
Backporting is hard work, in keeping track of what might be affected, in evaluating if the older versions really are affected, in then doing the actual backporting of the given fix, to sources that might have changed significantly in the mean time - and then to keep the old build infrastructure working (both monetary, in terms of resources, as well as in human costs of keeping it running, hosts updated, old branches compilable on newer host systems(!)) - and it's 'boring' work (repeating what has already been fixed in the current code multiple times). Backporting might also bring new challenges, which could be potentially dangerous in itself (backporters are rarely specialists on the code they have to touch, they might miss important things when backporting a fix to an older code base, which might even open a bigger hole than the one they ought to fix) - and old issues might have been fixed silently, without anyone noticing that the changes might have fixed a potential security issue by accident - rather than 'just' being a general code improvement.
There is a reason why enterprise distributions (like Red Hat, SuSE, etc.) need to employ more staff on backporting, security and integration testing, than to develop new stuff - this it what costs real money, in chronically scarce human resources.
If your device has fallen of the cliff for minimum system requirements, you really need to plan a hardware replacement soon, very soon. In this modern age there are numerous entities from organized (cyber-) crime to state actors constantly searching for vulnerable devices to add to their botnet inventory. It's gotten 'easy' - and profitable, so it's being done, 24/7, constantly. OpenWrt does not bump the minimum system requirements just for fun, it usually follows practical deprecation of these devices and is quite slow at formally declaring insufficient system resources as being unsupported (typically those devices have been barely able to cope with at least 2+ major releases already). 4/32 devices have been very low-end by around 2012/ 2013 already, if you bought any of them after ~2015, you really only have yourself to blame. If you are still operating any of those, it's time for a replacement, not tomorrow, half a decade ago already(!) - the (only) good aspect of that, viable replacements for those are cheap (especially on the used markets). 8/64 devices are a slightly different topic for now, but you do see the writing on the wall, plan accordingly - this is still an early warning, but their time will come.
The gist of it is, you really want to run the most current -security maintained- code on your border gateway, which does the major job of shielding you from many perils on the open internet, this one does need to be secure and is worth the attention and money needed to keep it current. OpenWrt can extend the (supported) life time of your devices considerably, but there are limits to how far that goes - and those limits will bite you earlier on low-end devices, than on medium- to higher end ones (but you also paid less while purchasing it, so…), so I'd always recommend to make healthy margins to the stated minimum system requirements a buying decision (again, the used markets can be a viable alternative to get better devices for less). Keep track of these margins during the operational life time of your devices and flag anything that's getting marginal early, plan ahead and schedule potential hardware replacements well in time. With some sacrifices in functionality and adapted expectations you can usually even extend the life time of your devices with current OpenWrt quite a bit beyond formal deprecation schedules (dropping features you don't strictly need, e.g. the opkg or the webinterface), but once you hit these hard decisions, the warning bells do chime at full volume, listen to them and plan ahead.
Running older, no longer supported, versions should never be considered an option, not even as APs behind your border gateway(!), as we are constantly seeing security fixes all over the stack, from wireless- to service level vulnerabilities (and browsers/ javascript et al can even attack your devices from the inside to quite some extent) - and there is no one keeping track of the situation for deprecated releases, let alone fixing them.
