Do old package versions in CentOS mean that they do not have security fixes?

As an enterprise distribution, Red Hat locks packages in the distribution to a specific version, so that the features offered are known and consistent and do not change behavior unexpectedly during the lifetime of the installation.

As you noted, this means the version of software can be "old."

However, they also backport security fixes when available, applying them to the old version. For instance, a number of security fixes have been made for subversion over the life of the distribution. This allows for keeping a secure system without the risk of breakage caused by the introduction of new functionality (which does happen from time to time).

You can obtain information about specific security fixes at Red Hat's site by searching for the CVE number.

Or, to see the change history of the package online, try:

rpm -q --changelog subversion

You'll see the most recent entries first, starting with:

* Wed Feb 12 2014 Joe Orton <[email protected]> - 1.6.11-10
- add security fixes for CVE-2013-1968, CVE-2013-2112, CVE-2014-0032

CentOS (or really, RHEL with CentOS along for the ride) commits to supporting the version they're distributing until the OS is end of life; they are responsible for backporting security fixes to the old/unsupported version.

The reason for this is stability; they don't upgrade major versions of software within a major OS version in order to not break application compatibility on regular updates. EL 6 is definitely getting to the point where some of those packages are pretty old simply due to its age and when those package versions were locked in; EL 7 is just around the corner.