if WordPress ever introduced a security vulnerability that required us to patch legacy versions of the plugin we would endeavour to do just that.
It has never been required before, and hopefully that will continue to be the case, but if you’re security minded we suggest you put adequate measures in place both for protection and monitoring as an unlicensed plugin cannot be automatically updated.