The reality is that reliable backports of security fixes is expensive (partly because backports are hard in general). The older a distribution version is, generally the more work is required. To generalize somewhat, this work does not get done for free; someone has to pay for it.
People using Linux distributions have for years been in the fortunate position that companies with money were willing to fund a lot of painstaking work and then make the result available for free. One of the artifacts of this was free distributions with long support periods. My view is that this supply of corporate money is in the process of drying up, and with it will go that free long term support. This won’t be a pleasant process.
“Somebody has to pay for it”? Nonsense. People working on community distros are not paid, and a lot of patches come out of those distros. If it’s important enough, those distros can and will do their own backports.
Furthermore, the existence of distros running ancient kernels and software benefits industry more than it does individual users—“stability uber alles” is something you mostly need on servers and controllers for expensive devices. They’ll keep funding the backports because they need them more than they need the initial security fixes targeting the latest versions.