Sites on EOL versions not told about security releases in later versions

If you're on 5.9.x (EOL), you aren't told that 5.13.4 is a security release (a critical status message). You're only told that 5.9 is EOL (a warning status message).

SummaryReport::createUpgradeMessage() needs to check:

1. is there a security release in a future version?
2. is that future security release date more recent than any security release that might be in the current minor version?

(This assumes that security releases on the same day are equivalent, i.e. that you wouldn't need to upgrade from 5.7.6+ to 5.13.14+)

It appears that SummaryReport::findLatestSecurityDate() is meant to do some of this, but it isn't called from anywhere in civicrm-pingback.