I think if you want to remain by Server 2008 R2 you could also remain by QV 11.2. AFAIK there is no special vulnerability in 11.2 (here is rather the OS the weakest link in the chain) and I assume that there is no much pressure to get support from Qlik or a partner because it's obviously a long running environment. With no new adjustments there shouldn't be new problems.
Therefore I think you could save the efforts which a migration takes. If your Sense planning to the final deployment may take further one or two years it would be better to upgrade to Server 2016/2019 and to install then a current 12.5 QV release.