Because that threat model is too high a standard for Whonix. The only maintainable way is: if it’s in Debian = good enough. Otherwise trying to judge software from Debian by its code quality, last release and other factors will open endless, insurmountable discussions.
See also:
sudo apt install debian-security-support
sudo check-support-status
If you wish to discuss this further please open a separate forum thread.
WIP, still not recommended for end users. Testers welcomed.
See TODO
That doesn’t sound very discouraging. That todo file is missing just some features.
(WIP) integrate with Network Manager
listen in several interfaces
implement IPv6
Not security relevant.