Choosing to interpret an expired OCSP response as a failure seems eminently reasonable.
If a browser treats a stapled and expired OCSP response as OK, then effectively that browser has no OCSP validation, it almost might as well never look at the OCSP responses at all, since it’s so easy for bad guys to record a valid OCSP response, then play it back forever and fool that browser long after the certificate is marked BAD in OCSP.
Of course it makes no sense for Apache to send expired, or BAD, or otherwise broken OCSP responses over to the client since they can never help, but this is a known shortcoming of the current Apache OCSP implementation and worth complaining about if you’re a server operator using Apache.