I absolutely agree that downstream packages have some level of responsibility to maintain up-to-date packages.
However, this alone isn't necessarily reason to prevent someone from distributing derived versions of your open source project using the original name.
If this was the case, Canonical would prevent people from shipping EOL'd versions of Ubuntu under any circumstances. If I ship an appliance with Ubuntu 10.04 (EOL 2013-05-09), it would have the same negative impact as shipping a patched 16.04 with no up-to-date patches or a similarly unpatchable kernel or core package.
Even if in this case the changes they make are damaging the system security, the trademark policy doesn't say anything about security or updates: you just can't ship unapproved changes in an image called "Ubuntu", regardless if those changes are secure or not.
- Ask for the approval of the upstream developer
- Rename the package, as Debian did with Firefox/IceWeasel
The problem with the OVH images is their kernel lacks months of security patches, so they're advertising insecure images as "Ubuntu".