In cybersecurity, older software and long‑serving platforms are often treated as liabilities; insecure, expensive to maintain, and overdue for replacement. But much like survivorship bias, this thinking may be leading us to draw the wrong conclusions, and to spend scarce security resources in the wrong places. The latest column from Ben Lipczynski:
I recently came across a morale patch bearing the phrase: “Beware of old men in dangerous professions.”
It raised a smirk, but also a serious question. One that feels increasingly relevant in software and cybersecurity.
Why do we instinctively assume that age, whether of people or technology, equals less effectiveness, less security or risk?
In cybersecurity, older software and long‑serving platforms are often treated as liabilities; insecure, expensive to maintain, and overdue for replacement. But much like survivorship bias, this thinking may be leading us to draw the wrong conclusions, and to spend scarce security resources in the wrong places.
The Fear of Standing Still. In enterprise environments, the pressure to act is constant. Policies, vendor timelines, and compliance requirements frequently funnel organisations toward a default response; update or upgrade. This is often done not because it delivers business value, or even addresses a meaningful risk, but merely to preserve vendor support status.
The assumption is clear, older software is inherently riskier, and patching is the only credible response to vulnerability exposure. But what if both assumptions are wrong?
A recent report published by Origina Ltd challenges this emotional, fear‑driven narrative. It shows that these beliefs often result in decisions that introduce risk rather than reduce it, especially when change is applied without sufficient testing, context, or business justification.
After all, which is worse, a self‑inflicted outage caused by an untested, untailored patch or upgrade, or an outage triggered by an external threat actor?
From a business perspective, the impact is identical, loss of revenue, brand damage, and potentially customers etc. The difference is that one of those outcomes was entirely avoidable.
When Fear Overrides Evidence. Much of the urgency around replacing or rapidly patching mature platforms stems from an unfounded belief that older technology is more dangerous. Fear, however, is an emotional response, not a logical one. The data tells a different story.
CVEs associated with mature enterprise technologies have been declining sharply. In fact, across 13 established enterprise platforms, reported CVEs fell by 63% between 2023 and 2025 (year‑to‑date). The majority of vulnerabilities now originate not in vendor code, but in open‑source components.
A common counter‑argument suggests this decline is merely observational, that researchers focus their attention on newer technologies, leaving older platforms under‑examined. Yet independent threat intelligence validates the trend.
More importantly, analysis of real‑world security incidents reveals a consistent pattern: most were preventable through better governance, configuration, and system hardening, not faster patching.
This doesn’t mean new vulnerabilities won’t be discovered, or that new attack techniques won’t emerge. They will. But it does mean that patch velocity alone is a poor proxy for security effectiveness.
The Survivorship Bias Problem. The logic here mirrors one of the most famous examples of survivorship bias. During World War II, statistician Abraham Wald was tasked with reducing bomber losses. Analysts initially proposed reinforcing the areas of aircraft that showed the most bullet holes, until Wald pointed out the flaw. Those planes had returned. The damage marked where a plane could be hit and still survive.
The areas with no damage? Those were the ones that caused planes not to come back.
In cybersecurity, we risk making the same mistake, focusing on visible, measurable vulnerabilities
Context Over Compliance. The message isn’t “don’t patch.” It’s that patching alone is not a strategy. Blind adherence to vendor timelines can introduce operational risk in mission critical environments. Upgrades performed solely to maintain support status often come with additional licence costs, implementation effort, and testing overhead—without delivering tangible business value.
Effective security depends on context; exploitability, exposure, and compensating controls. It requires treating vulnerability management as a strategic risk conversation, not a compliance exercise.
· CVEs across 13 mature enterprise platforms fell 63% from 2023 to 2025 YTD
· Approximately 70% of vulnerabilities originated in open‑source components, not vendor code
· 54%–95% of real‑world incidents were preventable through governance, configuration, and hardening
· Patching remains important—but patching alone does not equal reduced exposure
· Blind adherence to vendor timelines can introduce significant operational risk
· Security effectiveness in 2026 depends on context, exploitability, and compensating controls
Data Source: Exposure and Risk in the Enterprise Software Estate | Origina
“Beware of old men in dangerous professions.” If (they) the technology has survived this long, what factors are truly increasing the risk to your business? Real security comes from informed judgment; governance, configuration, and a clear understanding of your risks, not blind faith in patch velocity or modern tooling. Sometimes the most dangerous belief in security is that new means safe.
----------------------------------------------------------------------------------------------
Continue the conversation LIVE at The Security Event this April - register here: The Security Event
Subscribe to The Security Briefing for monthly updates!