Comment by citrin_ru
Depending on vulnerability impact and difficulty fixing it, some vendors may choose to release a fix even after EOL. Generally EOL means that users should not rely on getting an update (but it still may be released as an exception).
Or the vendor might want to warn users about the vulnerability. It is a different story to stay “there might be vulnerabilities, consider updating to some other gizmo” vs “there is a vulnerability, you have to abandon the gizmo”.