Compilers and other development tools link framework code, libraries, and runtimes into binaries. Security issues get discovered, development tools get updated, binaries don't, binaries lack security fixes.
Old binaries are also built against old versions of the SDK and as a result get left behind when the OS adds or changes interactions, and if new device sizes are introduced they have to run in a blurry scaled compatability mode.
