Comment by bradly

Even when talking about themselves in the article they mostly focus on some hardware server business.

In software outdated dependencies are vulnerabilities. The tech leadership knew this tradeoff and closed their eyes and hoped they'd get to it before someone else did. They did not and you shouldn't expect to be able to either.

If you do not have the resources to support the continual, ongoing updating of a dep, you do not the resources to add said dep.