There are two transitions to be aware of here based on the company's role.
Product development: The only option at this point is 140-3. Some updates can still be done for existing 140-2 devices, but if a company wishes to validate a new product to FIPS 140, FIPS 140-3 is their only option.
Product procurement: All 140-2 products will migrate to the historical list 2026 as this article states. This does not mean they can no longer be used (unless company policy dictates this). This means these devices can no longer be procured and only 140-3 devices will be procurable for compliance.
Overall just because a device is 140-2 compliant does not mean it is inherently less secure than 140-3. This will come down to the specific device in question. Cryptographic algorithms, for instance, are not necessarily different between 140-2 and 140-3. Approved cryptographic algorithms are added and removed in parallel to this program (algorithms fall under CAVP while the other requirements fall under CMVP). The impact of 140-3 is more apparent in more complex and higher level devices.
