You are perfectly correct.

No one in the company where I work "understand this attitude".

You decided to without any warning, notification or documentation simply remove a piece of your core code.
Were you not able able to figure out that this will break any and all code that depends on the removed code?

The reason that was first given was that there was a security vulnerability, once again without any elaboration.
This explanation was only given after error reports starting to roll in.

You cited "constrained resources" as reason for not fixing this vulnerability.
But there is apparently no "constrained resources" when it comes to delivering other functionality since there has been at least two releases made - 1.2.9 and 1.2.10 - and several 1.3.0-alpha releases since the DBAppender was removed.
What the hell of a functionality is more important than fixing a (possible) security vulnerability?!?

We now get to hear that the true reason you just blatantly removed the code was "we did not have the time to perform the due diligence".
It has been two months.
Do you think that large cap organizations are just going to sit on their hands waiting for you to eventually start prioritizing a (possible) security vulnerability?

I am not in the company that "threatened to move to a different library" but I can assure you that I work in a just as large a company and the discussion here is exactly the same: shall we kick out logback due to this "attitude"?

So what would a professional organization have done?

IF, and I mean IF, the code was removed in the first place it would have been made available in a separate package.
A clear explanation to the security concern and the possible new package would have been clearly provided.
And full focus would have been on addressing this issue.