Remaining on 3.1.x forever? Moodle security is really pretty good but the hole may not be code but PHP version/MySQL version - and remotely exploitable with no authentication required!!! :|
Moving from 6 to 7 CentOS may/may not affect your Moodle but only if provider has something like EasyApache for customers that would allow customers to choose the version of PHP to run with a site. Can't get too high with PHP or your 3.1 code won't run 'error free'.
Right now ... I admin CentOS 6 servers and a few CentOS 7's ... uhhhh, RH just released 8.0, BTW. Your provider might jump 7 and go to 8 as it's built more for virtuailized environments. And considering RH now part of IBM ... which CentOS folks say not to worry bout that????? Hmmmm ... can re-call being taught as a grade schooler 'duck and cover'.
CentOS, based on RHEL, has always been conservative when it comes to default versions of PHP / MySQL when installed with CentOS repos. More often than not, running a CenOS VPS one will have to use 3rd party repos to acquire the higher versions of PHP - webtatic/epel/other. I happen to use Oracile's MySQL repos for the database version and not 3rd party.
Providers of shared services would need to know how many customers are running Moodle vr. X to know for sure when upgrading the OS and underlying PHP/MySQL if those customers would be affected.
Shared hosting setups are great for WP/Joomla's/other, but are becoming more and more a problem for Moodle using customers.
My 2 cents, of course.
SoS, Ken