[ryandrake]

Companies can bake the cost of one or two maintenance releases and maybe one or two years of security releases into the purchase price. I agree it's not reasonable to expect lifetime updates from a one-time purchase. As long as you're not doing heavy development on these maintenance releases, the company's cost should be very small.

As a user-developer, I'd also be happy with being provided the source (or un-linked object files, or the equivalent for whatever language being used) after the maintenance period was over, so I could continue applying dependency security patches myself.