Can people call older versions of implementation contracts?

Whenever an upgrade is made and deployed, there will be a new address for the implementation contract on the network. I understand that users will be interacting with the proxy contract. However, since older versions of implementation contracts are also on the chain, that means people can directly call those implementation contracts, right?

If there's a security bug in the older contract that may benefit malicious users, what's stopping those users from calling the old buggy contract, despite that the proxy contract is now pointing to a safe contract?

Do you have specific examples? It really depends on how the implementation contract is designed: does it have the selfdestruct function? does it have open external functions? etc.

Let's use some very simple examples. Consider that I have a v1 contract:

contract V1 is Initializable {
    function initialize() public initializer {
    // ...
    }
    event Foo(string message);
    function foo(string memory _message) public  {
        emit Foo(_message); 
    }
}

Then, we upgrade the contract to V2 where we simply don't have the foo() function and event anymore.

Let's say that when we deployed our V1, two contract addresses were created:

1. Proxy contract: 0xPROXY_CONTRACT_ADDRESS
2. V1 contract: 0xV1_CONTRACT_ADDRESS

Then, when we deploy V2, proxy contract address stays the same but V2 is deployed to 0xV2_CONTRACT_ADDRESS.

Now, despite that our V2 does not have foo() anymore, people can still call it usign 0xV1_CONTRACT_ADDRESS, right?

I think so, since this foo function does not have any access restriction. Access control through modifiers can mitigate this type of issues.

Now, despite that our V2 does not have foo() anymore, people can still call it usign 0xV1_CONTRACT_ADDRESS , right?

This is correct, but the v1 implementation is not linked to any proxies' state. It has its own state which is not used by proxies and could have been initialized with gibberish values.

It's also possible for someone to deploy a new proxy and point it to the v1 implementation, or to "upgrade" (but really downgrade) a proxy from v2 back to v1 (as long as you have the right permissions and as long as the storage layouts do not conflict).