Many companies rely on OpenSSL in their products. They would be hurt by this. The alternative would be to give them the funding they need.
Caveat emptor, most of the entire FOSS world barely maintain old releases, why should this project be any different? His response on the mailing list is how this is handled in practice:
I don’t know - for a start, just because the OpenSSL team don’t
support it, that doesn’t mean others can’t backport fixes.
If you can’t do this, don’t use old software, or choose vendors that navigate these waters for you like FreeBSD releng or RHEL to base your product on.
Give them funding to spend time supporting versions that date back to 2005?
I think only “those” companies might be interested in that, so they could be the one funding the operation if they cared.
Or write your own SSL library, like Apple and Mozilla did.
FYI: Ben Laurie (ben at links) is part of OpenSSL core team, according to https://www.openssl.org/about/.
I like the idea of taking the next step: EOLing OpenSSL entirely.