Oh, I do see quite some ignorance about the topic, for sure.
Nobody ever claimed that running a supported system on the latest patch level automatically protects you against any threat. But it's an important prerequisite, at least as soon as this system gets any "untrusted" data to operate on.
E.g. at some point, your system will have to expose some service (and if it's "only" ssh) to be useful. If it is exposed only in some "trusted" LAN, that's still a risk, but depending on the circumstances, it might be acceptable. If it is exposed to the internet, you're doomed. The same holds for any other data/input from untrusted sources, but the network is the most obvious one.
So, of course there are scenarios where running EOL systems doesn't hurt. Those are rare, and I bet most people operating such an EOL system actually overlook something. Very often, when talking about stability and uptime, these are just lame excuses for avoiding the work to upgrade the system. And once you're more than one major release behind, this work piles up to something that isn't manageable easily any more.
Yes, for (larger) organizations, the upgrade "blocker" are often applications that don't work with the new release -- this especially happens in Windows environments, but not only.