They’re waiting for Debian developers backporting the patches.

Only if there is such a huge vulnerability that they will have no choice.

That’s just my guess.

Promise of support is a tricky one.

Take up non-feature security-only maintenance.

This isn’t hard. SCO and Sun did exactly this.

I’d guess they’ll do what Debian does with backports.
https://backports.debian.org/

There are community backports (like Sury’s Debian builds) for PHP, including a branch of PHP 5.6 originally released in 2014. Most other notable languages and major packages have something likewise as well, right down to major packages like Drupal 6. It’s not always easy, but it’s doable and the work is usually either already done or can be paid for.

Weird things that are truly too difficult to support are also often excluded. Eg Spectre/Meltdown fixes were non-trivial and had to be backported to a fairly wide range of things but that only went so far back. Some old systems just never got those fixes and instead have to be ran with a workaround (“don’t run untrusted code”). I don’t know how things are with the new offering but large complicated packages with lots of moving parts like OpenStack used to be excluded from the full extended support cycle before as well.

Either they add a new version of PHP or they backport the fixes.

LOL they’ll do nothing as usual. Probably they will apply security patches if someone submit them, but I’m unsure.