For any product, a patch is released only till the core support is there for the product. This means that there would not be any security patches released for CF 8.x.
If what you say is true Please address the question in this forum from 14 May 2013.."Does vulnerability CVE-2013-3336 apply to CF8.0?
This question is a response to clarify the release note from ADOBE..."ADOBE has identified a critical vulnerability affecting CF10, 9.0.2, 9.0.1, 9.0 and "earlier" versions for Windows, Mac...and Unix. This vulnerability (CVE-2013-3336) could permit an unauthorized user to remotely retrieve files stored on a server.
This release by ADOBE indicates CVE-2013-3336 earlier versions of coldfusion and that seems to include CF8. Also, if an owner has extended support why would ADOBE allow extended support to go without vulnerability coverage?