... I'm not even sure what they could possibly do to fix the vulnerability which is my concern unless an error code is just sent but that'll have to be tested for an index out of range error and would mean less backwards compatibility.
The problem with attempting to "properly fix" this issue... is that all the Electrum
Servers would need to be updated so that they returned something meaningful for the client to parse.
Someone posted a link in another thread about the Electron Cash "hack" that they implemented in the client... which, while effective, is not really a "proper fix".
Also, it isn't really a vulnerability in the typical sense of the word. There isn't a
direct security vulnerability with an immediate threat to the user. It doesn't auto-download any malware, the user's wallet/seed/keys are not at risk etc...
unless the user manually downloads the malicious client and executes it.
(An alternative, probably better approach is to use thomasV's Bitcoin address and the signed message beneath and then it'll be obvious for people using an old version if it's not there and newer versions could verify the signature on receiving the message).
How would you sign the message without the private key? You'd need the Electrum server code to have access to that to be able to sign the message...