Windows 2003 is EOL because Microsoft wants to push customers to the latest version. Customers have been pushing back at this for a while now, but Microsoft (and other vendors) makes more money selling the new shiny than extending their products' lifecycle.

In an ideal world, operating systems (server and desktop alike) would already be on a 5-year release cycle with just yearly incremental upgrades in between (as much as the vendor can manage in a service-pack model).

Is it insane to run systems without any security updates? Even within the lifecycle of the product many businesses never even patch after the initial install. I personally know people that live by this: never patch anything unless presented with proof that it's necessary to do so (I don't completely agree with this, but money has been lost catering for low-impact security updates and people tend to learn a few lessons from it).

Security is more about risk management than being free of vulnerabilities. The issue isn't going by without security updates, is doing so without assessing the risk.