I have one specific package (moodle) which is not available on newer versions of aforementioned OS (last version of moodle was available on OpenBSD 5.3) which is more than 4 years old.
In my opinion you ask the wrong question. The problem is less the old version of OpenBSD but more the old version of Moodle you want to run on this OpenBSD version. Although you don't specify details my guess is that you want to use this package (or here) which contains Moodle 1.9.16 on PHP 5.4 - both being very old.
OpenBSD releases are supported essentially for one year. Running a version of OpenBSD which is more than 3 years out of support can maybe done if you really know what you are doing to keep the attack surface minimal enough - for example by only having SSH access with only key based authentication and if you have no untrusted users on your system.
But, running a large web application like Moodle definitely does not count as minimal attack surface. Web applications are usually complex and often have security vulnerabilities, sometimes even critical ones which allow remote code execution. And such vulnerabilities also exist with older versions of Moodle as a simple search shows. And while sometimes critical fixes get backported to older versions you can see from the commit history that the last change on this package was done 2012-01-21. I guess that this non-maintenance of the package was also the reason that it got removed from ports on 2013-09-20.
In other words: Running an old version of a large and complex application like Moodle with known critical security vulnerabilities is a very bad idea. And the security of OpenBSD will not help to protect you much in this case. It will not help much if you use a current version and it will help even less if use use an old and unmaintained version of OpenBSD.