[frankjr]

> Projects can't keep using an old compilers because of security patches though. At some point, the old versions are too old to keep the security up to date.

I'm talking about using the same language version (standard), not compiler version - e.g. the latest Clang still supports the C++98 ISO version.

> A more common example, what if a library that you use stops supporting the old version, and the latest compatible release of the library has a security vulnerability.

You backport the fix or the change library. Nobody said it's easy but your project should not hold the entire language hostage.