Martijn,
it is precisely because of past reluctance to upgrade infrastructure that the industry is getting into the nightmare scenario of insecure ciphers that cannot be replaced! Hence HTTP/2's effort to try to mandate stronger ciphers and our own preference to
EOL java 7 support. This is to put back pressure on other infrastructure developers and deployers to upgrade and make forward progress possible.
If a security bug is found in 9.2, we will almost certainly fix that in the mid term future. Non security related fixes that result from commercial support will also make it back to the open source repository... but perhaps not in a formal release (at least not a frequent cycle).
The beauty of open source is that 9.2 will still be available and patchable if need be. We are just saying that it will no longer be a priority for us to do so and that 9.2 users really need to plan to migrate to a more recent release and to put pressure on any other suppliers that are holding up that process.
cheers