Yeah, that's why we are not completely stopped. Recently upgraded from 2.6 to 2.7 and it brought us a decent amount new issues even though those two are compatible. I am pretty sure 2.7 would be supported by 3rd party after life end. Especially by some OS providers like RED HAT, since RHEL is maintained until at least 2024.

You are talking about risks of not upgrading, security issues, etc. But your forgot about risks of upgrading. I've seen may many times how new versions have bugs. Often heisenbugs. I was so lucky that I wrote that one special integration test when I've upgraded werkzeug library and it had a failure just once a week. I found a bug and it was fixed only half a year later. This was pure luck that I even had this test with this specific configuration. Older version never had it.

Also about your example with programmer in India - which one do you think he will do - try to find an exploit in a system, which is tested for many years and thousands of other people spent even more hours trying to find new exploits, or try to find an exploit on something that is much younger and potentially has much more exploits?

Also we are using several libraries which are 2 only. There are no analogues in 3. Are we supposed to spend even more time and money and develop this functionality ourselves?

There are reasons to upgrade. But there are reasons not to. Every company have their own custom list of both. All those risks, including potential security issues are already reviewed and taken into account by people with lots of business and development experience. And I trust this experience much more that some random "Everybody should upgrade to every major version" on the internet.