> There is probably a tickbox for satisfying some regulation that says "Don't use versions that aren't getting security fixes anymore"
In theory, yes, that would be bad. But we're talking about JS frameworks here, not C++ libraries. Go look at the CVEs for React and you will find 2-3 in the past 10 years that were patched out in minor version upgrades.
There is a difference between updates due to security and updates due to wanting to use the newest shiny tool. JS is a slow moving language and browsers are excellent sandbox environments. This combo means browsers still support old versions of a lot of libraries and they are completely secure, save a few examples.
So if you're telling me a company is forcing everyone to upgrade to the latest Angular/React/Vue for security reasons, I would say they unfortunately don't know what they're talking about.
Not necessarily. There is probably a tickbox for satisfying some regulation that says "Don't use versions that aren't getting security fixes anymore".
In which case, yes, you get the choice to choose between JQuery and $SOMETHING_ELSE but not the choice to remain on unsupported versions of anything.