There are no firm plans.

While some pre-requisites have been completed, the work is currently blocked on #10262 but please note https://www.gocd.org/2023/02/13/gocd-project-status/ - despite opening this ticket over 2 years ago, there has been no help volunteered by the community of GoCD users.

Having said this, despite the warnings that naive security tools will raise, there are no vulnerabilities with the current Spring or H2 versions that are known to affect GoCD at time of writing. Nevertheless, both Hibernate and Spring are on EOL, unsupported versions which poses risk of its own.

As noted at https://github.com/gocd/gocd/blob/master/SECURITY.md you can review all suppressions and commentary here. These have all been painstakingly reviewed one-by-one to assess impact (by me, so take that how you will). I only suppress CVEs where I am confident that they are not exploitable within GoCD's current usage and likely future usage.

I would suggest that you discuss with your "security department" whether the commentary I linked above is sufficient for them to feel comfortable with continuing to run GoCD in its current state.