Hi
I think this is an interesting discussion, but I think we are not doing it in the right place.
The discussion is more or less whether packages should be allowed in Debian in the first place. This should be discussed on some general mailinglist, like debian-devel or debian-project. LTS cannot put restrictions on what should enter Debian in general.
LTS is aout handling things that have already been there for years.
With this said I think restricting packages because they are insecure is not the best way to do. If course we should not add software that are generally available to anyone as a service that is known to be extremely insecure. But most software can actually be quite badly written and this is not a problem from a security standpoint.
If the user use insecure software in the right way it can work just fine. For example if you are using a text editor to write your own software that editor can have all sort of software problems without causing a security issue.
In many cases it is better to have some software that fit your purpose even though they are not the best from a security point of view.
I maintained Vnc (version 3) for many years. Vnc (3) was not in any way secure, at least it was not in the beginning. However with decent firewalls around your network this is not really an issue.
Best regards
// Ola