If you are an decently qualidied Adminsitrator, then you always conciously choose between the following:
a) You customize/install/update/recompile/patch the software you need on your own time. Usually you do thos when the service availability is absolutely critical and at the same time no out of the box solution exists
b) You use an "out of the box" solution. This solution should be supported, and used within its nominal use case.
Ubuntu very clearly states that Universe packages may - at best - only receive a minimal quality check at the distibution release and are patched by maintainers, which are not necessarily authors of the software nor employees of ubunut. As such their time which they may spend to predictably react to problems is limited, and, if anything in their life changes they just have to stop doing anything for the package without further warning - if the packge is important enogh for you, donate money to the maintainer and pay him.
I appreciate that the author loudly raises his concers, but i think anybody running an unsupported port of an program is responsible for himself. Pulling the pckage is not good. I for my part run any service for myself (file sharing etc) on a machine which only shows a single port for a vpn to the outside world. If something other than a security problem in the VPN software apprears, i would prefer to contunue using (and reinstalling) the packages which I chose.
If I run SW which faces the internet, then if fix it myself