Unless they're assuming it's exploitable on Apple Silicon as well, or are being extra careful just in case.
Things like OpenCore Legacy Patcher prove it's possible; they just don't want to.
I don't think anyone feels entitled to new features in perpetuity. Security updates only would be fine thank you.
Don't tell me the richest company in the world can't pay for a couple of developers who just want to rest and vest to take care of and test the legacy platforms. A cushy job and you keep the customers happy.
Ironically the best way to stay safe on these computers is to install Windows or Linux.
At my old job we supported only two versions of our software product, Tanzu Operations Manager versions 2.10.x and 3.0.y), and we cut new patch releases every few weeks (similar to Apple's cadence). Bumping dependencies was a pain. Well, usually it went fine, but sometimes you'd hit a gnarly incompatibility and you'd either pin a Ruby package to a known version or try to modify the code just enough to make it work without making a major change.
If I had to put a number to it, I'd say it cost us 2 developers to keep our older product line consistently patched, and our product was a modest Ruby app, much less complicated than an entire OS.
Is Apply really releasing new patched OS updates every few weeks?