And those hosts often are not using up to date packages and don't even have up to date security fixes at times.
I recently moved a wordpress site I was working on from a local dev setup onto a live bluehost server and was immediately hit with a bunch of out of date package warnings. As the customer was using some cheap shared hosting service, there wasn't much I could really do about it.
Shared hoster here. More likely the app arbitrarily decided 'these versions of PHP are EOL', where the reality is that they're being maintained by a number of OS vendors.
Too many customers run really old versions of code that need older versions of PHP and so on. We can't not provide them without losing the business. We do of course, make newer versions available.
The other fun one we periodically get is customers doing PCI scans or similar and getting warnings for out of date versions of OpenSSL, Apache, etc. Nope; just backporting showing the old version numbers.
That's sort of funny, as one of the remaining few value pitches for something like Bluehost (versus a $5/month vps) is "somebody else does apt-get update && apt-get upgrade for you".
Keep in mind that WP has a vast installation base, so your local sample is not necessarily representative. I only know WP admins that a fairly comfortable with Linux and use it on a daily basis.
I would actually expect that almost all of those people use Windows or MacOS for their local development.