It's a security risk for the admin, not XF. As long as XF can write secure code that works on a supported version of PHP they have done their job. The rest is on the admin. There's no onus on XF to force the issue and some people may still need time to get their PHP upgraded, esp. if they have custom (vs. off-the-rack) add-ons that need updating. After all, a lot of current Windows software still works on 7 and 8, even if they are no longer supported and using them is like painting a bullseye on your back unless you run them completely offline.