But are they now continuing to ship the known-vulnerable version in universe for new installs moving forward, but then notifying the user that an up-sell opportunity exists if they want the fixed version?
There are lots of security updates in the source code for the packages. Major vulnerabilities will (presumably) have Debian package updates, and those should continue to be ported to Ubuntu. What will happen now is that Ubuntu themselves will sometimes port security updates to Ubuntu even when there is no community (debian) update upstream. At least, that is based on my own analysis (see my other comments).
So, I think this is just a new offering from Canonical, allowing us to pay for more minor security updates to the Universe packages. But they explained it very badly!
