Well, for one, security concerns, especially for an internet oriented component.

Secondly, you have to find a reliable maintainer or several.

A lot of people want stuff to be maintained indefinitely for them by unspecified "others".

You don't have to find a maintainer.

Not updating the system is usually a solution to such problems.

At best there is a nginx or an API in front that acts a reverse proxy to clean-up/normalize the incoming requests and prevent directly exposing the service.

Example: banks, airlines, hospitals, air traffic controllers, electricity companies, etc

All critical services that nobody wants to touch, as it works +/-

Guess what, all those places can just use Python 3.12 for as long as it's maintained and if they REALLY can't update, they can:

a) make the system air gapped

b) pay a Python consulting company to back port security fixes

c) hire a Python core dev to do the system, directly

OOOOR, they can just update to Python 3.13 and migrate to the equivalent Python package that's not part of the core. For sure they already use other Python packages already.

We're making a mountain out of a molehill, also on behalf of places that have plenty of money to spend if push comes to shove.

I think it may be easier to backport CGI to a new version of Python rather than backport security fixes

I agree.

It takes time, and this means that instead of working on something else, their time is locked on this.

The CGI standard hasn't changed… what changes did the module need?