I have no plans to change how we publish changelogs.
I believe everyone running a production environment should be frequently upgrading all the software they run to stay current on security patches. If you run old software, you are putting yourself, your users, and your data at risk.
The widely publicized 2017 Equifax breach through an already-patched vulnerability in an out-of-date version of Apache Struts is a concrete example of the dangers of not patching software regularly.
If you fall substantially far behind
HEAD and there’s a major security release to address an urgent vulnerability, you will not be able to upgrade quickly.
I don’t want to encourage installs to accept this kind of risk, and annual patch notes are only useful for installs without a regular upgrade plan in place.
(There are other concerns, too, including: third party API changes like the recent Google auth change, users routinely reporting already-fixed bugs in very old versions of the software, maintaining compatibility in very old migrations. But security is the major driving concern here.)
If you don’t want to deal with the hassle of upgrading regularly, you can pay us (or some other provider) for hosting. Part of what you’re paying for is the ongoing mitigation of security risks.
If you’re running a casual install and don’t care about security risks, or disagree with this risk assessment and believe that running old versions of the software with no upgrade plan is not dangerous, that’s fine – but you should generally expect that you will receive no support for this from the upstream.