Do what I do. Always keep your work station up to date with latest version of your preferred Linux distribution to benefit from latest features and security updates(!). I develop embedded micro-controller firmware and complete embedded Linux stacks for various clients and when I need something to be available for many years I simply setup my work space (toolchain, tools, source repos, etc.) in separate VMs so I can always spin them up if I need to go back and make updates. This way I can make sure that my development environments for various clients are always preserved while enjoying a fully up to date Linux work station.
To me it is absolutely inconceivable to run a 5 or 10 year old Linux system as my daily driver work station. We have very different views of what warrants an upgrade. I would argue that security and bug fix updates alone justify keeping everything up to date but more importantly there are sooooooo many components of the Linux ecosystem that are constantly evolving making your Linux experience so much better. I mean, it's 2022 and this is the time for running technologies like Gnome/Wayland, the new pipewire audio framework, systemd, vulkan, and the other zillion application/library updates etc. If you stick with an old Linux distribution you are asking for trouble and get a lesser Linux experience and you are in essence opting out of using a lot of new software. To me, that is a terrible strategy.
The equivalent of your separate VM for long therm projects is my computer as I'm my own client and I only have one long therm project (multiple devices but in the same series).
Access to different computer hardware is more difficult or in some cases impossible from a VM.
I'm off grid in the middle of nowhere with a fairly low speed internet connection 2Mbps both up and down so always updating the OS is not a great option plus I consider security to be higher with the auto updates disabled.
There are no bugs in anything that I use (there may be but not affecting me). I see nothing that can make my experience better with newer software.
I do get your perspective as that is how I will work 10 to 20 years ago (always having the latest Linux distribution and testing multiple new distribution each year and also change the hardware fairly frequent).
Even my phone is on Android 4.4 and now on third battery (replaceable battery model) and have no intention to replace it unless it fails (recently I got another similar model with replaceable battery and Android 9 in case this one fails as it is my main and only internet connection).
Phone is used as a phone and access point only thus newer version will have no advantages as I do not need any other futures.
My wife has a newer Chromebook tablet with support until 2028 and the inability to control when update happens or if you even want to do that seems to me a much higher security risk (you have no control over your own device is like you do not even own it).
And software will do nothing to protect you if hardware is compromised as it is the case with all recent x86 and most ARM. Maybe my next computer will be an IBM Power 10 based assuming I can find something next year.
A good recent example in therms of security is the Airthings Wave that I purchased about a year ago and now it is a paper weight.
It measures radon gas, CO2, temperature, humidity, pressure.
In order to use it it requires you to register the device first update the firmware and then you can connect trough the app over bluetooth.
The app requires GPS to be enabled so exact location is known and it will upload data to cloud. I was going to immediately send it back but I noticed that I can use it on that (backup phone I have if I turn OFF WiFi so any outside connection). It worked I think for about 6 months this way and then it stopped allowing me access to device and required a internet connection in order to continue to have access.
There is no way to clear the internal logged data (logged in the device not just the phone) and so as soon as I will connect this to internet it will make an update and upload all logged data to Airthings cloud. Since I'm not willing to share the data I can no longer use the device at all.
Even selling to someone else is not an option as the device was already registered that includes my details and exact GPS location and so if someone else will register (assuming it is even allowed) the 6 months of logged data will still be in the cloud.
You may think that is not an issue to share this data but I obviously disagree. Just the CO2 levels alone can reveal a huge amount about the way you live so how long you are at home how many people in the home when you are opening the windows, when you sleep (just to name a few) and in combination with all other sensors it can provide an almost unrestricted access to your life.
Sorry for the super long rambling. I was triggered by the "security updates"