This isn't for the users, this is for the developers:
Move to version 3.0.
Stop making security patches and upgrades at the same time. Security patches should be only security patches, as end users we should be able to get off the "upgrade elevator" at any stop. 2.8.5 should be only security fixes, no new features or changes. At each version, there should be a "final" secure version.
Stop all development at the current level on the version 2.x guts, there are some very basic programming issues that won't go away that are leading to many of the security problems. Stop messing with it, the current code has been monkeyed with too much. Just issue security fixes as needed, and call the entire 2.x.x tree as done and completed.
Start fresh, Simplify. Rethink the architecture. Straighten up security, force API compliance, and make it all work properly and simply.
We look forward to version 3.0.1 (because 3.0.0 will have bugs).