Just to push back a little on this - I think if a site is on 5.3 that's fine - as long as they are comfortable upgrading to the next security release as soon as it comes out - for most 5.3 users the upgrade from 5.3 to 5.7.5 or 5.9.2 or whatever they upgrade to when they do their next security update will be a fairly minor exercise (of course that might also be an argument to upgrade now as there are definitely bug fixes in later versions that are not in 5.3). Upgrading from 5.3 to 5.7 (or 5.8 will be out later in the week) is a point version upgrade in the same way upgrading from 4.6.17 to 4.6.28 was.
Obviously sites on 4.7 are not secure and they should upgrade ASAP. Sites on 4.6 are likely to have convoluted custom code and they should be getting themselves onto a 5.x version so that any related issues are dealt with well in advance of an urgent security update.
I also want to push back a little. A CRM upgrade process could be a lot of work because one needs to test all the primary processes which are managed in the CRM. Also, a lot of organisations using CiviCRM are fundraising organisations, which mean that december is the most busy month of the year for those organisations, so december is the wrong period to do an upgrade.
" one needs to test all the primary processes which are managed in the CRM" - I'd probably change the word 'needs' to 'may need to'
We (WMF) have been very careful about how we integrate with CiviCRM and we have invested in really good unit test coverage - so we when we next upgrade we will be upgrading by about 4 minor releases and we won't do any testing other than pass the new code through our unit tests. (I would say we did test all primary processes when upgrading from 4.2 to 4.6 & we tested a small subset upgrading from 4.6 to 4.7 but since then we don't really)