> It will be unsupported. Bugs and security vulnerabilities will accrue making it less and less valuable over time. [...] are the first ones to claim FOSS is okay stuck at a particular version. Every company keeping their stack stuck on the permissive license is risking a log4j style event in the future.
Your example shows the opposite of what you intended to show. It was the people stuck at a particular version of log4j (the old unsupported log4j 1.x branch) who avoided the vulnerability, while the ones who kept up-to-date with the maintained log4j 2.x branch were vulnerable. And it also shows the power of a permissive license: for those stuck at the older log4j 1.x branch, which had been abandoned by its maintainers, there's now a fork by someone else (https://reload4j.qos.ch/) which is being maintained.
Your example shows the opposite of what you intended to show. It was the people stuck at a particular version of log4j (the old unsupported log4j 1.x branch) who avoided the vulnerability, while the ones who kept up-to-date with the maintained log4j 2.x branch were vulnerable. And it also shows the power of a permissive license: for those stuck at the older log4j 1.x branch, which had been abandoned by its maintainers, there's now a fork by someone else (https://reload4j.qos.ch/) which is being maintained.