What's next for Apache OpenOffice

It's worse than that. As I noted in the other thread (https://lwn.net/Articles/699108/), the vulnerability which started this discussion had been found and fixed on LO more than an year before it was reported to AOO. An attacker would just have to search the LO commits for the many ones marked as fixing issues reported by valgrind/coverity/etc; some of them will be vulnerabilities in OOo code inherited by both AOO and LO.