A lot of the rhetoric around updates and security drives me bonkers. You’d think your entire life will be ruined unless you install every update right away. It’s true that if you don’t want to think too hard, staying fully up to date is an easy shortcut for being reasonably secure in most situations. But that’s not practical or desirable for everyone.
True zero-click RCE vulnerabilities—where merely connecting your computer to the internet is enough for an attacker to infect the machine—are extremely rare, especially if you’re using the computer behind a router. To my knowledge—and I have researched this reasonably extensively—there are not any known vulnerabilities like this on any version of macOS. In order for an attacker to hack you, they would have to be able to run malicious computer code on your machine.
So what opportunities are there for a ne'er-do-well to run malicious code? One way would be to install a malicious app. However, I only install apps from developers who I have concluded are good/trustworthy people. There is certainly a risk I will end up trusting the wrong person, but that’s true for most things in life.
It’s theoretically possible for an outdated, vulnerable app to open a document or media file which tricks it into running malicious code. This is a legitimate concern. However, these types of vulnerabilities are generally difficult to exploit. So unless you’re a high value target who someone will be willing to put considerable effort into attacking, you probably aren’t going to get hacked in this way. That said, you should briefly stop and think before opening a document you downloaded from the internet on an old OS. If you know the source, it’s probably fine. If it came from a Nigerian Prince, stay away.
By contrast, when you browse the internet, your computer is constantly running Javascript code from all over the place! You probably don’t think "do I trust the owner of this website” every time you open a link—I certainly don’t. IMO, this is a clear source of danger, and I do NOT recommend browsing the web with both an unsupported operating system and an unsupported web browser. If your web browser is up-to-date, the browser sandbox should keep code isolated. However, an outdated web browser may have documented vulnerabilities. So I’d say you should always use an up-to-date web browser if at all possible!
Security people will tell you it’s better to also have defense in depth—if there’s a vulnerability in your up-to-date web browser which no one knows about yet (a “0 day”), it’s better to have an up-to-date operating system as an additional layer of protection. They’re right, of course! But if you’re Joe Schmo and not working with military secrets, what are the chances a sophisticated hacker is going to waste a heretofore undiscovered vulnerability on you?
All of this is to say that, yes, of course using old operating systems is less secure. But in practice, when normal people get hacked, it's virtually never caused by some sophisticated OS exploit! The real danger lies in simple and stupid credential stuffing attacks, aka stolen passwords. I truly believe that for almost everyone, just using a password manager and a unique randomly-generated password on every website will make you more secure than 99% of tech users, and any brain power you’re currently spending worrying about your operating system should be dedicated to switching to a password manager. Otherwise, keep your web browser up to date and think before installing an app, and to some very limited extent think before opening a file.