2.4 actually is kind of broken, and has been for over two years. Same goes for 2.5.
Fixes were only applied to OH3. I’d guess that your 2.x installations should be relatively safe if they can’t connect to the Internet, but I’d be concerned about something critical to a university having a known exploit.
I’m actually a bit surprised that a university allowed a relatively unstable open-source software to be used in such a way–the university I work at would deem it to be far too risky.
End users assume all responsibility for the OH systems they deploy. So, I think it’s the administrator’s responsibility to proactively maintain the system and not forget about it for five years. Otherwise, things like the log4j2 vulnerability go unnoticed.
At the same time, I understand that there are competing priorities. That’s why I mention the log4j2 vulnerability whenever someone says they’re still on OH2–I’m just giving a reason for the upgrade to be worth the effort.
I don’t know what it takes to build and maintain repos, so I can’t comment on that.
I will note that “wider adoption” isn’t a strong motivation, because we’re not competing with anyone. It’s open-source software maintained by volunteers, not a commercial business.