That's just dogma. There's nothing about "new" and updated that makes it more secure. Look at old djbdns or similar for software that hasn't been found vulnerable after many years.
2015 is just the last "stable release". Development is ongoing (slowly). Some projects just don't care about "releases" that much, and their userbase is sophisticated enough to grab svn/git snapshots directly. Some projects have good development practices so that the dev snapshots are only rarely broken.
Don't like it? Do it yourself.