From what I've seen, most of these bugs are really obscure and only apply to unusual, specific circumstances. Consider https://snyk.io/vuln/npm:jquery:20150627 -- to be vulnerable, your web page has to be making an $.ajax() call to a malicious cross-domain server.
This may be a better example, for jQueryUI (not jQuery core): https://snyk.io/vuln/npm:jquery-ui:20160721 -- to be vulnerable, you have to create a dialog box object and use browser-supplied data in the Close Text property. 99.99% of the time close text is canned content: "OK", "Done", etc. This vulnerability is labeled a High risk but it's completely irrelevant to the vast majority of websites using jQuery UI.
If all you're doing with jQuery is $('#myspan).text('Hello world'); then you are not at all vulnerable to those flaws (or any other jQuery flaws I've read about).
I think the bigger issue here is the jQuery maintainers aren't backporting fixes to old releases, and likely aren't publicizing (or perhaps even aware of) other flaws in end-of-life jQuery releases. Just as you wouldn't assume Internet Explorer 6 was safe to use because nobody has published a new exploit in years, you shouldn't assume that jQuery 1.4.x is safe because nobody has reported relevant flaws in it.