The software running the US nuclear missile silos did not change from the 1970s until 2019.
This 8-inch floppy disk is not just for the photo op; it was part of the real procedure. This is an IBM Series/1 computer. I was going to use them as a counter example of something that never needs to be updated. But alas, they have modernized. 50 years was a pretty good ride.
In 2016, the US Government Accountability Office released a report detailing the risks associated in continuing to run on the aging architecture. The report highlights the risks of running on hardware that is not only past support, but it also isn’t being manufactured anymore.
So it’s not the software that is the major risk. The software is mature.
Security through obscurity works until the hardware is no longer supported.
Here’s a better example of software that is far older and never updated.
Core banking software.
Sorry, I don’t have a fancy graphic for this one. But you might as well picture The Matrix code.
It’s written in COBOL or RPG. A big bank might have thousands of developers and engineers working on digital banking apps and services. But none of them ever get to touch the Core which does things like ledgers and calculating your daily balances.
If you want to work on the Core, you first have to defeat a dragon in single combat.
There are 3 more steps, but I’m not allowed to disclose what they are. And that’s just to get access to view the code repository. Your pull request has to be approved by a counsel of wizards just to get your changes deployed to UAT.