[gsylvie]

THIS:

> "who is responsible for patching applications with no development team anymore?"

Struts 2.2.3 (oldest vulnerable version) was released on May 7, 2011. Personally I find it easy to imagine an app depending on that, going into prod, and just chugging away, forgotten for 6 years on some obscure corner of an enterprise's public (or internal) web assets.

[speedplane]

I personally have no idea how large companies manage this. Every time I perform a full Docker update on all of the libraries and applications my app is running on, something breaks. Sure, tests catch it, but it takes a developer and time to figure out how to fix it. No idea how huge non-developer organizations handle this.

[greedo]

Getting business lines to sign off and invest the resources to update applications can be a huge challenge. Shiny new applications get all the attention, but maintaining and updating legacy applications is not prioritized.