Wouldn’t there be a point where we run out of readily exploitable vulnerabilities against a specific platform ?
For instance if I was running a server on an 50 yo IBM framework serving static pages, how many serious attack vectors have been left unpatched at this point ? (ignoring DDOS type of issues where the content is not compromised)
There was a 26-year-old bash bug a few years back. How would you ever know when you'd found the last bug? Unless you do some formal verification of that 50yo IBM framework, I certainly wouldn't trust it to be exposed to the internet.
You're modeling ability as a binary when it's more like a bell curve. Most attackers are somewhere in the middle and old systems are going to be most vulnerable to them.
For instance if I was running a server on an 50 yo IBM framework serving static pages, how many serious attack vectors have been left unpatched at this point ? (ignoring DDOS type of issues where the content is not compromised)