Apple is definitely not the worst in this regard, but the most recent version of iOS to support the iPad 3rd generation (the device we are discussing which is being used as a PDF reader) is iOS 9.3.5 (a security/bugfix release on August 25, 2016 which supports the WiFi-only version of the iPad 3rd generation) or iOS 9.3.6 (also a bugfix release on July 22, 2019 which supports the WiFi+cellular version of the same device - specifically, this was a fix to keep GPS working).
The iPad 3rd generation was released in 2012, so the 2016 9.3.5 iOS release gave 4 years of security/bugfix support for the WiFi-only version of that device.
Apple patches anything with a proven exploit as long as it’s in a supported version of the OS. E.g. They will not patch versions beyond macos 10.14 i believe, not sure what the cutoff for iOS is but it’s usually about 6 years of security updates. Which means that iOS 9.3.5 is well outside of that and so a bug that impacts that os will not be patched. Which means using an old device like that on the open internet is deeply foolish
My whole point is that what you believe isn't correct. Apple continues to release security updates for "unsupported" versions (let's be careful about terminology, that term is specific and we're both using it), generally for two more years after a version becomes unsupported.
This is in a lot of the reporting about the topic and linked repeatedly in these comments. Please don't repeat false information.
Now you're right that this particular really old version also doesn't get security updates - but boy do I not have that expectation, and I would be surprised if anyone acting in good faith did.
The iPad 3rd generation was released in 2012, so the 2016 9.3.5 iOS release gave 4 years of security/bugfix support for the WiFi-only version of that device.