What part of "We reviewed all relevant CVEs as they came out to make a call on if they apply to us or not and how we mitigate or address them" gave you that impression?

>running 5-year-old versions of stuff with tons of known security flaws

No one in this thread proposed that, or anything that could be reasonably assumed to have meant that.