In their defense, it would be difficult to keep security updates fully separate from feature updates since sometimes replacing a vulnerable feature with a new feature is the easiest fix rather than pushing the new feature, but also issuing a separate fix for those that don't want the new feature.
In other words, it's only reasonable to expect security updates for a certain length of time and not indefinitely.
