If the update is so important (it is), then maybe they should force auto-builds to fail by renaming the vulnerable versions to something the scripts do not find for auto/scripted downloads. You can also poison the vulnerable versions at the source and having them bail out on first call with a log-message "please update".
These would be (very) hard measures, but it may be necessary for the long tail to become shorter.