I dug into this. Apple's incentives aside, the bulk of intel's chips in macs are no longer supported by Intel or soon won't be. The more time passes the harder it is to keep those machines secure.
This is the best article I found on the topic. Note that once a mac is no longer supported for a new os the old os will get security updates for two years after that.
The old OS will generally get most security updates for two years, but that is not a written policy or rule, and Apple has not patched CVEs on older OSes in the past that were well within the N-2 assumption.
Most of the time they do, but depending on the data you work with and the risk you can accept, that might not be an acceptable policy.
I'll note that anyone running an out of date MacOS should use Chrome or Firefox. Safari gets its updates via OS updates, whereas third party browsers have their own update cycle.
