As I recall (vaguely) Microsoft did release a few security fixes for Windows XP and Windows 7 after their respective ends-of-lives on a case-by-case basis when the security issue was especially bad.

I am by no means a fan of Microsoft's, but when you release an OS and some applications and provide security fixes for ten years, asking for people who want to continue using that OS/app beyond that point to buy a support contract is not a complete dick move. In the FLOSS world, you may get volunteers who maintain a piece of software as a labor of love, but with something like Windows or IE, someone needs to pay people to do that work.

It might make sense to create something like a foundation to take care of the long term support for software, which would benefit everyone. I'm kind of surprised actually that this has not happened, yet (to my knowledge, at least).

I wonder if it is because customer-specific patches break parts of the software that most users use, to make it easier to fix the bugs the customer cares about.

But more than likely it is because deploying to that 1 customer is always going to be easier that deploying it publically.

At least Canonical and SUSE are doing the same with their extended support contracts. The patches are being produced, you just have to pay for them.

The more people using your old software legitimately, the more people you have to tell that the bug they found isn't a security issue worthy of your time. Plus it's a kick in the pants to get organizations who can to upgrade.