My understanding (as a definitely-not-webdev) is that web applications built on this type of framework are often deployed behind a reverse-proxy like nginx, which is running very close to the actual application server. In this case, the reverse proxy can expose HTTP2/3 to the client, while communicating with the application over HTTP1.1. The performance and security benefits of HTTP2/3 are mostly relevant to that frontend connection which is generally has worse network conditions and passes through the public internet. The performance and security benefits are not super relevant to the backend connection, since it has very good networking conditions and is already secure.
This isn't universally true, and there are definitely situations where HTTP2/3 support would be helpful, but it does explain why it's often not a high priority for frameworks.