[icedchai]

The reality is that in many organizations, nobody wants to update or reboot anything unless absolutely necessary. I once took a contract job at a company that wanted me to migrate and upgrade some Linux VMs running on a 5+ year old distro. This was a decent sized, established company, not a startup (1000's of employees, 100 million+ revenue)

The existing VMs had not been updated or rebooted in years. Several had 1200+ day uptimes! These systems were accessible from the Internet and regularly used by customers for an important, highly specialized product. The only reason they were even bothering was they had failed some security scan and nobody there could even understand how to use SSH.

The minimum level of IT security is apparently barely anything.