I haven't read all the documents, but have these researchers taken into account backported fixes?
My gut feeling is that the "preference" for 1.12 is simply due to its inclusion in Debian stable [1]. The maintainer seems to be actively backporting security fixes [2], so while I agree that these versions may enjoy less community support, they should not be considered broken on the basis of the version number alone.
This, of course, unless it is certain that some vulnerabilities are still present in the Debian version. If you are aware of the existence of such a problem, I would recommend you contact security@debian.org. Otherwise, the situation might not be as dangerous as it seems.
On the topic of facilitating upgrades: perhaps we should emphasize the option to install and upgrade using SVN, which is probably very convenient for users that are comfortable with the command line. Moodle has this in the official documentation and I find it very useful [3]. SVN could also be handy as the backend for a user-friendly upgrade procedure, as it already deals with local modifications and such.
As someone who has had their code patched by the debian team, I'd like to take the time to bitch about this.
Firstly, their patches are often incorrect. Secondly, though they've patched my LDAP extension a number of times, I have *never* received a bug report or a patch from them for something they've fixed. It is extremely annoying to see a fix has been around that I could have used months before someone reports a problem to me. Beyond anything else this bothers me the most. They really need to be better community members in regards to this. Lastly, packaging and maintaining such an old version of MediaWiki does a disservice to us, and their users. We don't support versions of MediaWiki that old. I understand that Debian backports security fixes for MediaWiki, but they don't backport new features, and don't backport all bug fixes. Additionally, Debian doesn't backport security fixes for all extensions. Not all extension developers bother maintaining backwards compatibility, and the only possible way to get security fixes is to upgrade MediaWiki and the extension.
Please Debian, keep your version of MediaWiki up to date at least to the oldest stable release, and please send your fixes upstream when you find unfixed bugs.
Respectfully,
Ryan Lane