We transitioned from S3 to R2 for downloads.mitmproxy.org because egress got prohibitively expensive for a hobby ($300/month). CI for 9.x still points to the old infrastructure. This does not mean we couldn't ship a patch release right now, but it would take me 1-2 hours.
The vulnerability in question is in parts not used by mitmproxy. We looked at it when it came out, and I'd even say it's more of a bug than a security vulnerability. Again, in either case it's not used by mitmproxy.
Even the term "volunteer" implies too much responsibility. This is a project to which people contribute their time, for whatever personal reason motivates them. If they don't want to do a release ever again, or they don't feel like updating a dependency, or decide the purpose of the project should change in some fundamental way, too bad. This is Free Software, if you don't like what is happening in some project the only thing you are entitled to is a fork.
Given that nobody is paying them, "I don't feel like it right now" is as perfectly valid a reason as any. With an email response like that, I certainly wouldn't feel like it for as long as possible.
The vulnerability in question is in parts not used by mitmproxy. We looked at it when it came out, and I'd even say it's more of a bug than a security vulnerability. Again, in either case it's not used by mitmproxy.