My general rule is that a security fix is worth backporting a SONAME change
for, if there is no way to backport the patch.
In this case all the Fedora branches are recent enough but EL 7 and EL 8 are not and are impractical to fix at this point.
I've already been bitten in the past making major updates to EL branches. I believe this was also with OpenImageIO. Someone was using it at work for their project and had validated against the current version. Obviously in this case there is NO way to determine out of repo dependencies.
The update was required to support a Review Request package so he ultimately re-validated against the newer version, but lesson learned.
Since all of the severities are Medium and not High I think I will leave it as is.
Thanks,
Richard