I agree with you here. Even though we are promising that security related issues will be backported one branch further than general bug fixes, this should not be a restriction for developers willing to invest their time with non-security issues. This happens rarely and usually only when there is a pressing need, so I don't think this sends an unclear message about what versions we support.
We still need to have a distinction between a "bug someone could exploit" and other issues, though. The reason I say this is because we want to be as open as possible about the problems with Moodle, but we want to be responsible when it comes to reporting exploitable bugs, revealing them only after a fix has been released. If an issue is not exploitable it can be integrated as soon as possible, but such a fix may not become available in that trailing version until a minor release, simply because of the effort needed to maintain that version continuously when so little is being done there until a release is imminent.