I'm sure Apple has a policy, but it's clearly not released to the public and probably gets re-evaluated constantly based on many factors.
Whenever I need to know what's supported now, I go to the index of what Apple Care covers (since AppleCare is the support wing that maintains knowledge base articles, answers questions, etc...)
- The Apple Support Sitemap - This answers your question about the definitive list of actively supported OS. As of May 2012, this includes three major versions. 10.5, 10.6, 10.7 As of September 2012 (after Mountain Lion has been out for more than a month), the support for 10.5 isn't yet removed from the Support Sitemap so we are in a window where four major versions of the OS are still supported.
You can of course see the latest updates for all OSX OS at their respective support pages, even past the time when they are "actively in support"
I don't think Apple publishes a hard and fast policy. My experience is that the current and past two versions have always been supported. There are times when more than three versions are supported, so you may get to see this when 10.8 gets released. It also might be more tied to hardware that was sold. Apple generally bases support on US sales dates with a 5 year window for hardware support after a model is discontinued for sale. I would also expect that large institutional orders (education, government) will tend to keep older hardware and software in support due to contractual agreements or the local law.(Examples for that are anything sold in California or Turkey, government contracts in Virginia and still different regulations in France.)
If you have a business relationship with Apple due to being certified as a technician or have help desk level support in place, then you will get pre-announcements of which products and software are announced to go into non-support before the time arrives.
Basically, if you need to know this sort of non-public information ahead of time, you can become certified (cheaper, takes more time and knowledge) or pay for this level of support and have access to information that looks forward so you can plan for change and know you are supported by Apple. As you can see, there are several factors that seem to play into the length a support window stays open and there are several free options to help you guess the timing if you don't need to pay for this information.
Apple don't provide any end of life information unfortunately, and you're correct that they only support the current and previous versions, although they do still release security patches for the one before that from time to time for another release cycle after this.
So you'll get up to 3 years out of an OS release, and that usually an Apple computer will be supported by new OS releases for around the same time.
Best Answer
Not particularly at any grave security risk since Apple is supporting and releasing security updates to OS X for n-3 generations of the OS as of August 2014:
This is documented on the main support page at http://www.apple.com/support/osx/
I haven't seen any time when n-2 were not supported on OS X so unless you depend on enhancements to Gatekeeper or the more advanced security features that are new on 10.9 such ad Application Layer VPN, Sandboxed Plug-ins, Additional sandboxed Apple Apps, OTA certificate revocation to make up your definition of risky to stay on 10.8 then you should be equivalently secured on 10.8 for the foreseeable near future.