[rmbyrro]

You're certainly right.

But in this case, no LTS would have covered, since the system was decades old.

The issue was that they had a poorly maintained service, hugely outdated, which is hard to secure, mingled with their main up-to-date stack.

Lesson: isolate the bad lemons from the good ones.

[b112]

What's happening, is companies are doing a risk assessment, and thinking "well, it probably won't be hacked, we don't need to replace this with something that is auditable, and secure".

That needs to 100% end. There are also cases where companies think, "Well, it will take use 3 weeks to update this stack, we'll leave the old, vulnerable code online for that 3 weeks, plus testing, and plus (of course) push, so 2 months, even though this is a very easily exploitable, high profile CVE".

That too needs to end.

The only way that can end, is if fines are WELL beyond any possible savings, including being 100s of times more than those savings, so that companies will TREMBLE IN FEAR at the very idea of leaving unpatched servers online. Your stack will take 2 months + testing to upgrade?

Because you chose a stack without an easy way to upgrade instantly?

then you take your stack offline, and tough if it bankrupts you.

Because otherwise, we'll fine the company dry, and its directors, and jail the CTO, and the employees who knew.