When a manufacturer correct a vulnerability in a version of software, does he have to withdraw the old vulnerable version from the market?

[Viko-legal]

CRA states in article 13 (21) that : "From the placing on the market and for the support period, manufacturers who know or have reason to believe that the product with digital elements or the processes put in place by the manufacturer are not in conformity with the essential cybersecurity requirements set out in Annex I shall immediately take the corrective measures necessary to bring that product with digital elements or the manufacturer’s processes into conformity, or to withdraw or recall the product, as appropriate"

At the end of the article the "or" would mean that if the manufacturer provided corrective measure to a given vulnerability, he would not be mandatory to withdraw the old vulnerable versions of the software from the market. Is my understanding correct?

There are some case where the withdrawal could cause issues to existing project.

[bukka]

I don't think the version needs to be ever withdrawn. It's the product that should be withdrawn if the vulnerability is not fixed. Once there is a new version, the old one gets obsolote but it's not withdrawn. That's also how it usually works in software development. Old versions are not removed after security fixes.