It's not completely patched. Stop assuming. I've always assumed that Apple or Google or Microsoft consider three factors for deprecated devices or software: 1. Severity of Issue, 2. Expected work required to fix issue, 3. Number of users involved
I think if something is a relatively easy fix and high severity that they will fix it. I don't think they view security updates as a tool to force people to buy new products. The low hanging fruit for large numbers of users gets fixed. The underlying software however, should not be trusted or viewed as secure.
Even though these applications are bundled with the operating system, they are probably separate code bases and if they believe the patch can be accomplished across the versions with minimal work like fixing the same line of code in the old version it probably goes out. If they have to do a major overhall of the old operating system and port the new browser version to the old software, it probably doesn't.
I think if something is a relatively easy fix and high severity that they will fix it. I don't think they view security updates as a tool to force people to buy new products. The low hanging fruit for large numbers of users gets fixed. The underlying software however, should not be trusted or viewed as secure.
Even though these applications are bundled with the operating system, they are probably separate code bases and if they believe the patch can be accomplished across the versions with minimal work like fixing the same line of code in the old version it probably goes out. If they have to do a major overhall of the old operating system and port the new browser version to the old software, it probably doesn't.