An APK signed with ONLY the v1 (JAR) scheme is exploitable via Janus (CVE-2017-13156) on Android < 7.0, where attacker-prepended DEX runs while the signature still verifies. (v1 alongside v2/v3 is fine: v2 mitigates Janus on Android 7+ and v1 is required for older devices.)
v1-only signing is vulnerable to Janus (CVE-2017-13156) on Android 5.0-8.0: an attacker prepends a DEX to your signed APK and it still verifies, so users "update" to a trojaned build that keeps your signature.
Attackers can ship malware that passes as your legitimately signed app on older devices.