I was about to post complaining that releasing a 2.3.x and releasing a 3.0.x was against their recently announced policy, but I thought I would double check and found that 3.0.x isn't covered for "Severe security issues".
Aside from the fact that this seems rather strange (to say the least), I'm guessing a lot of other people misread the policy too and simply assumed that 3.0.x would be patched if 2.3.x was.
Aside from the fact that this seems rather strange (to say the least), I'm guessing a lot of other people misread the policy too and simply assumed that 3.0.x would be patched if 2.3.x was.