We and other Plone solution providers have been doing this for multiple years, patching and keeping installed Plone 4.x running more or less smoothly with the changing requirements, external environment (browsers), and fixing long tail bugs that only occur very seldom or in uncommon combinations/setups.
Bugs are patched, core packages are updated and registered in buildout.coredev, but these fixes don’t end up or end up very slowly (10 months?) in minor Plone releases. So while providers and developers are patching their customer installations (of the customers still left) with in between patch-lists of updated packages in their installs and contributing these upstream, the sink seems to be clogged at the end of the pipe.
The effort to "support of no longer officially supported versions " is at the moment de facto equal to support the official versions when there are no minor releases: you need some decent Plone experience and information of package dependencies and individual components to pull this off.