That legacy system is not stable, it is abandoned.

Posted on 7 2026
tl;dr:

A server.
An application.
A database.
Something installed years ago by someone who has since moved on and never looked back.

Sometimes it’s still there because it works. Sometimes it’s there because nobody is quite sure what would break if it disappeared. Sometimes it’s there because replacing it would be expensive, disruptive, or awkward.

And almost always, someone will describe it the same way:

“It’s stable.”

Which might be true, but so is a wardrobe balanced at the top of a staircase.

Old isn’t the issue

Not everything old is a problem.

Some systems are well understood, properly isolated, and still doing a useful job. Age on its own doesn’t make something risky.

What matters is whether it’s supported.

Once a system falls out of support, things change:

  • no security updates
  • no vendor fixes
  • no guarantee it will run on anything modern
  • fewer people who understand how it works

At that point, it stops being “just old” and starts becoming something you have to actively manage.

Why it never gets replaced

Unsupported systems don’t stick around because everyone thinks they’re a good idea.

They stick around because removing them is difficult.

  • they still support something important
  • nobody fully understands them
  • replacing them costs more than expected
  • nothing has gone wrong yet

That last one is the trap.

“Nothing has gone wrong yet” isn’t a control. It’s just luck holding steady.

The risk isn’t just security

Security is part of it, but not the whole story.

Unsupported systems also affect:

  • reliability
  • recovery
  • compatibility
  • supplier support
  • incident response
  • business continuity

If it breaks, can you fix it?
If it fails, can you recover it?
If the one person who understands it leaves, what happens then?

If the answer is “probably”, that’s not reassurance. That’s uncertainty.

The signs are usually obvious

You’ll hear things like:

  • “We can’t patch that”
  • “It only runs on that one server”
  • “We still need Internet Explorer mode for it”
  • “We’ve been meaning to replace it”
  • “Just don’t reboot it”

That last one is usually a giveaway.

Systems you’re afraid to restart aren’t stable. They’re being tolerated.

What to do about it

This doesn’t mean replacing everything overnight.

It means being deliberate about the risk.

  • know what’s unsupported
  • make ownership clear
  • understand what it affects
  • reduce exposure where you can
  • and have a plan, even if it’s gradual

“Leave it and hope” isn’t a plan. It’s just delay.

Final thought

Unsupported software isn’t always urgent.

But it is always a decision.

Either you’re managing the risk on purpose, or you’re carrying it by accident.

And accidental risk has a habit of showing up at the worst possible time.

Usually during an incident, an audit, or the moment someone finally asks:

“Can we turn this off?”

Next in the series: MFA is not a personality trait.

Or a simpler question: Which system in your environment is called “stable” mainly because nobody wants to touch it?