Comment by linzhangrun

Not to mention embedded systems. In fact, most people's Windows machines hardly get updated. You remember WannaCry, right? I work at a mid-sized e-commerce company making hundreds of millions in annual profit. Our servers run Windows Server 2012 and use PHP 5.3 — never upgraded. Aside from me, the newest developer machines are Windows 10 21H2, then Windows 10 1809, and even Windows 7. I heard there’s also a server running Windows Server 2008. And I don't see any hope for improvement: non-software companies, especially in the current economic climate, cannot invest huge resources to completely refactor everything. The entire tech department is no more than 10 people; doing a refactor would mean halting all business operations, so patching and mending on top of what's already there is the only viable option. Shortly after I joined, I found several SQL injection vulnerabilities and successfully exploited them to register as the root user on the server (on MySQL 5.5) and extract passwords. This is the technical reality for many non-specialist software companies.