[notatoad]

and not just medical devices, but life-support machines running with known security vulnerabilities?

There's nothing inherently wrong with connecting medical devices to the internet, and running an outdated OS on your specialized equipment is fine too as long as it's not being connected to any unsecured networks. But running a known insecure OS on an internet connected life support device has got to be a violation of some law or ethical regulation.

[joe_the_user]

Experience has shown that connecting a device to the open Internet is inherently risky. I'd say any act of connecting a life-support device to the open Internet would have to balance that inherent risk against any supposed benefit such a connection might involve, even if the device manufacture is doing best practices for such a connection.