Yes, once a plugin moves to WP5+ you stop getting updates (including any security updates). I wonder how many CP users think their plugins are up to date when they are actually way behind.
If this is the case, then for me it just confirms that using WP Plugins on CP is not a good idea and we should even more proactively advise people to not do it. I have already updated our DOCs where we suggested to use WP Plugins, but I think we need to go further and remove the Plugin area/move it to our api, soon, not later.
This is going to be a massive mess in a few months, maybe a year from now. As soon CP gains a little traffic, it becomes a target for hackers. If they find CP users basically run on whatever outdated stuff, we will be seeing a lot of stuff we don’t want to see.
Yes yes, “we need to use those plugins as there are none for CP” and “it is not that bad” are all true statements, and yet, “Security” is not really what this all suggests. Rather ignored problems.