We're using it now (2022) to run some high volume transaction websites.
We are not writing new apps in it, but a lot of existing code still uses it,
and is actively modified.
Yup this is what I read, and covers a lot of security reviews I have come across, where someone requests some functioanlity, such as password recovery, or some promotional code, and someone else discovers how it can be exploited.