I’m not sure how “insecure” applies in that case. For example there is no expectation to mark bash as insecure because it is unsafe for untrusted input
But for this I mean “insecure because upstream updates are not available” not any fundamental lack of security in the package itself.
Would you consider the Bash version with (undocumented) Shellshock insecure? Ghostscript has -dSAFER mode that tries to make it a safe «only access the input and the output files» program. This seems to even be the default mode now. It has seen so many holes, that even a new re-designed implementation (which they seem to have since a recent version 9.50) would need quite a bit of time to be trusted as actually safe.