A fixed piece of software can have a limited lifetime for only two reasons: Dependence on ephemeral infrastructure (e.g. cloud services that disappear or change), and assumptions that fail over time (e.g. "the device will never be used after 2020" + hardcoded calendar).
Only the first can be caused by API changes, and the API changes are usually always caused by voluntary product rewrite and infrastructure deprecation, not by security issues.
In other words, the problems spawn from entirely voluntary and technically unnecessary actions, and you cannot claim that is caused by some unavoidable law of nature, such proliferation of security issues.
If old APIs required no maintenance it would be fairly simple to leave them around.
However, APIs are built on an ever deeper stack of APIs that go all the way back to the Operating system and through internet protocols (APIs) right across the internet. Each API gets updates and fixes and things get deprecated. Bit-rot sets in and things stop working.
My original comment was suggesting that if everyone just left their old APIs around forever then the world would be filled with unpatched APIs with security flaws and I was not sure that would be a better place to be than the world of bit-rot that we have now.