That's right, 4.3.x is in maintenance mode. It is an optional dependency however so a project has to choose the version. That said from the reports CVE-2017-5644 and CVE-2017-12626 it looks like upgrading to 3.17 should cover those issues.
Indeed, 3.14 is just the POI version that we happen to compile against, as a baseline for our API dependency. Like with all of our optional integration arrangements, the specific version for a particular application is always chosen by the application project setup.
So we effectively support POI 3.14+ for use with Spring Framework 4.3.x, recommending the latest in line... since even POI 3.17 is being superseded by POI 4.0 in the meantime, we should be able to upgrade our build dependency to it in the 4.3.x line at this point.