WordPress 3.7, which introduced automatic updates, received security backports all the way to 3.7.41. From 2013 to 2022. 4.1 and above are all still receiving them.
Doesn't WordPress officially only support the two latest minor version release though ? I can't find an official source at the moment but a quick googling seems to confirm that.
> The only current officially supported version is the last major release of WordPress. Previous major releases before this may or may not get security updates as serious exploits are discovered.
> …
> Security updates will be backported to older releases when possible, but there are no guarantee and no timeframe for older releases. There are no fixed period of support nor Long Term Support (LTS) version such as Ubuntu’s. None of these are safe to use, except the latest series, which is actively maintained.
