hedwards: Redhat primarily does it because they're focused on the enterprise market. And there's no guarantee that a particular patch won't need to be completely rewritten to run on an older version. What's more, people using those versions pay a ton of money for the ability to do so.
AFAIK, nobody backports security patches to the 1.x Linux kernel.
silviucc: WTF does linux 1.0 have to do with anything?! This is becoming a twilight zone episode. Seriously.
Well, it was the logical response to your assertion that older versions receive patches. Which they don't, unless you have an application that only runs on that version and you pay somebody a crap load of money for support.
silviucc: The points are these:
1) Microsoft said that by reverse-engineering patches for Windows Vista. 7 and 8, people might find ways to attack Windows XP which will no longer benefit from security patches. That is true.
2) The above statement applies to any piece of software which means that by examining the source code of patches or by reverse engineering the binary patches one can find means to attack previous versions of any software because the code is shared across releases.
They may have said that, but it doesn't make it true. It is possible, but in practice, there's little point in developing an exploit that's been patched in newer versions of the OS in order to catch the small number of machines that are still running older versions of the OS.
Sure, it may happen, but there isn't much money in doing so. Similar to why there are so few exploits on OSX or Linux compared with Windows, there's comparatively little money in that.
As for 2, I can't think of any other software, banking software excepted, where doing so would be profitable. Sure, it is possible, but examining patches to exploit older software is far less profitable than attacking newer versions in most cases.