Things change often in Android, and vulnerabilities can easily appear in older versions of dependencies (see the discussion on known security vulnerability flags a few months back). So I think it’s fair to say that any app that isn’t getting ongoing maintenance presents a risk, even if it’s a simple app that still functions without it. Some actively maintained apps only release new versions every 6 months, or even every year, but I’d say flagging an app as “unmaintained” after one year with no new release is a good rule of thumb.
As with the anti-feature and known vulnerability flags, it’s just a way of letting people using F-Droid know of a possible risk. What we do with that is up to us.