I would be concerned, if too many security features not everybody needs, would become default. Why not dropping security features completely and instead making real-time optimised features the default? This is a rhetorical question, but actually I would prefer the latter.
In my experiences Arch is very healthy.
I doubt that many packages are outdated.
Right off the bat a few come to mind, e.g.
claws-mail and clawsker
but we had Easter holidays and some packages are already in testing.
Other packages, such as e.g.
are out of date for a long time, but the maintainer explained why he has got no time for a while. Apart from this Ardour is niche software.
Each of the outdated packages I noticed still build using ABS or AUR PKGBUILDs by just changing the version and skipping or changing the checksums or they require minimal additional editing, if so I usually drop a note to AUR comments, how to fix the issue.
It's hard to find much more packages I consider really outdated. I noticed that some packages from official repositories are flagged out of date, a few minutes after upstream released a new version, so I wouldn't count those packages.
In my experiences Arch is a healthy rolling release. There are a few hiccups, but I experience less hiccups using Arch, than I experience serious issues with other distros.