If you can't update any software on this system which makes it insecure anyway, then you probably should stop installing ISPConfig updates as well and keep the last working version as we can't keep support for old PHP versions forever in new ISPConfig releases.
If you can update the code in those websites so they can run with PHP 5.6 you maybe could run them on Debian 10 and PHP 5.6 as additional PHP version. I think you could sort everyting else to get those websites running. I remember there was this year a tread on this forum where someone found PHP version before 5.6 still packaged so it ran on new Debian versions. Don't remember any good keywords to find it easily, though.
@till Huh...would it be possible for me to revert back to older ISPConfig with full support for PHP 5.3? Is it OK to download older install, edit ISPConfig version in config file and re-run old installer? I am afraid to break something...
Then do it like every hoster does: Write them an email, that due to security issues, you are going to update the server to a supported PHP version. Give a reasonable time to update. Maybe offer to help with the code review, etc... PHP5.3 does not receive updates since 2014. Which means, it is only a matter of time when your server will be compromised, your users data stolen and you face existential damage (you are liable for your server!). The sury repository still ships php5.6 for debian 10 (But you should not do that, will give you the same hassle than you have now). It is end of life, too, and will be abondened soon (https://www.php.net/eol.php) Go directly to php7.3 or php7.4. Its much(!) faster though.