You've touched on the business model for both Microsoft and Apple. Once they decree that the OS is no longer supported, you're forced to upgrade. Microsoft has even begun to play Apple's game by also obsoleting the hardware.
Still better than paying for SaaS, still getting pwned and getting free credit monitoring in compensation?
Not to mention local-first software has much less attack surface for pwnage. You can wrap insecure protocols with encrypted tunnels, you can share files from a legacy app with any secure file transfer app of your choice... or if all you need is local functionality you don't need to share at all which means no remote access possible.
But there's many "security flaws" that are nowhere near critical or just don't apply to your use-case for the software.