> Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than
> to do any proactive security maintenance. This works in a number of ways.
Uh, that's not the right lesson to draw from this. If customers gets hacked because they are running out of date CMSes, it's their fault. It's also their fault if it's not working because they have outdated crap that's incompatible with modern php-versions. But if you neglected to update php, and the customers gets hacked because of that, it's your fault. You might be able to talk your way out of it in some cases by pointing out that (this kind of) hacking is bad, but if the customer is a company or a person who cares, they will demand to know exactly how this could happen. Having a logfile that shows them exactly what exploit in their outdated CMS or plugin or theme was used is very satisfying.
I see this in every major php release. The answer to customers who complain is "too bad, update your old outdated Joomla 1.5.x/WP 3.5.x-crap. Or if you don't want to do that, good luck finding a reliable host that still has php 5.eol".