Well presumably such sites would run on dedicated servers where they can run whatever they like and take responsibility themselves for any security issues that their code caused on their server.
Of course professionals will be monitoring the various changes to PHP and would commence making changes as soon as they are first announced - eg. replacing mysql_ calls in 2012 when it was first announced that support for that antiquated interface would end.