Our current policy is to stop security supporting Drupal X when Drupal (X+2) is released. In other words, stop security supporting D6 when 8.0 is released. Which means, if the day after 8.0 is released, a security vulnerability is discovered in D7 and/or D8, an SA that discloses that vulnerability publicly can be made once it is fixed for those versions, even if the same vulnerability also exists in D6. Which potentially puts sites running D6 at high risk.
The Import API in Drupal 8 core team is working hard to support a direct D6 to D8 migration path. However, in practice, few sites will be able to migrate their D6 site to 8.0 the day that it's released. It'll take some time for contrib modules to be ready on D8. With D6 and D7, it took over a year from the core release for some of the most popular modules to get ported and released. Some of that time can be attributed to waiting on Views, so now that that's in core, let's make a rough (possibly optimistic) guess that the majority of D6 site migrations can happen 6 months after 8.0 is released.
Meanwhile, #2135189: Proposal to manage the Drupal 8 release cycle currently proposes (though with some discussion about that in the comments) to extend D6 security support until after a D8 LTS is released, potentially 1-2 years after 8.0.
So, let's use this issue to hash out what the challenges and ways to mitigate those challenges would be to extend D6 security support for the extremes of these ranges (6 months and 24 months), and then decide whether either of those, or something in between, is possible.
Relevant quotes from #2135189: Proposal to manage the Drupal 8 release cycle
chx #4:
6.x has no test suite...supporting 6.x is not harder, it's near impossible.
xjm #5:
6.x core is barely maintained as it is now because of how risky it is to add fixes, and contrib has already moved away from 6.x overall.
RKopacz #37:
I have been a campaign for much of the year convincing site owners to upgrade to D7 on the grounds that support for 6 will stop. I am sure that I am not alone in doing that. The sudden switch to an LTS version might leave certain smaller site owners with a bad taste in their mouths, realizing that they didn't have to fund an upgrade to D7 after all.
John Pitcairn #42:
No D6 LTS please. We weren't expecting one, all my D6 clients have been warned about the impending loss of support, many have upgraded and the remainder probably never will anyway. Just let it die when 8.0 is released, as promised.
jstoller #43:
I think it is commendable that the Drupal community is even considering supporting D6 beyond the release of D8, but I don't think there should be any significant pressure to do so. Speaking as someone who is still mostly supporting D6 sites, I knew what I was getting into when I developed them. If you choose to support my D6 sites a little longer, then I'll be grateful for the gift. However, it would be a gift. If doing so is going to put any undue pressure on the security team, then forget about it. I'll live.
izmeez #45:
Providing only support for security fixes to D6 for a short time will likely be better for the Drupal community and clients using Drupal. Some may see this as an opportunity to transition through to Drupal 8 to take advantage of the improvements it offers.
greggles #47:
Saying that D6 is supported doesn't make it a reality. In an ideal world I agree that supporting Drupal 6 for some period of overlap with Drupal 8 is a good idea. Getting contribs ready to release on the day D8 is released would also help solve that problem. But in spite of efforts from various people ( ;) ) we don't live in an ideal world (yet).
laura s #51:
having a large amount of Drupal sites left with no easy update path and no community support represents a pretty big risk to Drupal's perception -- a risk that might not have been such a big deal a few years ago, when Drupal was more obscure and only tech-minded folks and orgs were willing to take it on (live by the sword, die by the sword). But now we have a successful product that requires little maintenance once built, but significant effort to upgrade, and therefore an abundance of site owners with little tech expertise and insufficient resources to take on an upgrade.