Not sure if these are fully correct answers, but my best guesses are below:
1) You could probably figure this out atleast partially from https://moodle.net/stats/. Judging by the versions It looks roughly like 1/3rd of sites are 3.0.x or later at the moment. How many of those are 'mission-critical, enterprise-level' though is anyone's guess though I think. I'm not sure how many admins of sites like that would even admit to being out of date, since that also makes you an obvious target.
2) Look at the security issues fixed in the versions that are missed and extrapolate.. Are there serious remotely exploitable server busting type vulnerabilities fixed or is it something like a student being able to see other student's email addresses?
For managing risk, you probably won't be able to do much to get around security/privacy level bugs in Moodle but should atleast harden your servers so that even if someone can run PHP code arbitrarily on your server, they can't get much other than Moodle data, which while still sensitive isn't as bad as getting remote admin on your servers and breaking into everything in your org.