Because it should be future proof for a little while.
Why? It's not been rewritten from scratch. Something that affects previous versions could reflect in the latest version. (Note, I don't know what the vulnerability is). Of course brand new code isn't safer. Sure, there's more mitigations in each version, DEP, ASLR etc. so the risk might be lesser on later OSes, but expecting it to be future proof is, in my opinion, unreasonable.