No specific timeframe is defined, but they tend to release things that matter really far back — like, the Apple CA certificate expiration update went out a few years ago to basically the entire deployed Square terminal iPad userbase, etc. I expect it’s driven by telemetry and threat model both. Presumably the cutoff is wherever the telemetry ceases!