It's not just security (and other) patches for Rails, it's maintenance for the assorted plugins one inevitably ends up using.

If you've a Rails 2.x app with plugin ActsLikeWhatever, and you run into some problem with that plugin, chances are the fix will only be in the newest, non-Rails2, release.