[secabeen]

That's my real concern: old, out of date images. How will we handle another OpenSSL-level vulnerability in 7 years, with bad code buried in containers that haven't been updated in 4, and for which the build infrastructure is no longer functional?

[Spivak]

This really isn't that different from having some pre-built statically liked app still kicking on your system with the source and/or build tooling long gone.

There aren't really easy answers here. You can't fix bad software with more tooling.