When the Debian security team ends security support for packages, and an affected package is already installed, those packages will by default not be reported. Therefore the user will likely continue to use those eventually vulnerable packages. This also applies to Debian stable.
As of Debian wheezy, examples include kde4libs, pidgin, qtwebkit, webkit. (Check output of debian-security-support.)
Installing debian-security-support would cause more confusion than gain. Reporting something like kde4libs and a bunch of libs, tells the user nothing. showing reverse depends is a missing feature in debian-security-support.
debian-security-support is a a sh shell script.
- This is something, that needs to be documented in updating documentation.
- Implement showing reverse depends into debian-security-support. (upstream feature request)
- Think about whatever else is missing in debian-security-support to make it useful for the user.
- Finally, after improving debian-security-support, install it by default.