The OP explains what the ASF expects in this regard.

    "In the case of Apache OpenOffice, needing to disclose security
    vulnerabilities for which there is no mitigation in an update has
    become a serious issue. In responses to concerns raised in June, the
    PMC is currently tasked by the ASF Board to account for this
    inability and to provide a remedy. An indicator of the seriousness
    of the Board's concern is the PMC been requested to report to the
    Board every month, starting in August, rather than quarterly, the
    normal case. One option for remedy that must be considered is
    retirement of the project. The request is for the PMC's
    consideration among other possible options."

In the strictest sense, as a volunteer who gets paid nothing for participating in this, my responsibility is "nothing". In a sense related to my personal sense of commitment, I think it goes without saying that we want to ship secure software, all the time, every time and to fix security holes as soon they appear. But what we want and what we have the resources to do aren't always the same thing.

In terms of the various security issues that have cropped up, I'd say that if we reach a point where we simply cannot ship a fix AND it's a serious vulnerability, then we have an obligation to inform users of the situation so they can make up their own minds what level of risk they are comfortable with.

Note that informing the user is not sufficient for an Apache project. If the project cannot respond effectively to security reports, it must retire.

This is part of the ongoing discussion on the dev lists. The OP quotes Dennis, the OpenOffice Chair to this effect.