The thing is, in web appsec world, when Classic ASP was a production platform, we were very early in terms of what attacks would be prevalent and the defences that are generally added to modern web application frameworks were not in use.
In theory you can totally add those protections per application but the effort of doing that, maintaining the knowledge required per application or team and keeping on top of new research, is likely higher than just moving to a new framework which has in-built protection.
Also you have to consider developer availability. At 19 years since it was deprecated, there is a smaller pool of people who are skilled at maintaining that codebase, and the group of people who can do that, and keep on top of web application security attacks is even smaller.
Attacks evolve, but I remember reading around 2005 on OWASP site about SQL injections and XSS. Database APIs with parameter binding (and auto-escape of these parameters) where available in most popular languages even back then and here we are 15 years later, SQL injections and XSS are still in OWASP top 10.
Though Classic ASP was released much earlier in 1996 and I don't know if SQL libraries offered parameter binding and template engine - escaping of string in template variables.
The first named mention of SQLi was 1998 by Rain.Forest.Puppy (AFAICR), however classic ASP did not have any in-built protection from it.
I started in security in 2000, as an analyst for an org using classic ASP. maintaining security was a pain.
I then started as a pentester in ~2005 and what I can tell you is, in my experience, classic ASP applications rarely had good protections against injection attacks (e.g. XSS, SQLi) for precisely the reason that the framework did not protect against it, leaving developers to make sure they had routines to canonicalise/sanitize/parameterize input correclty, and also that they implemented them universally across all possible user inputs.
Whilst this isn't impossible, in my experience, it was rarely done perfectly.
In comparison, something like ASP.Net which had in-built protections available, at least had the chance of having good uniform protection.
In theory you can totally add those protections per application but the effort of doing that, maintaining the knowledge required per application or team and keeping on top of new research, is likely higher than just moving to a new framework which has in-built protection.
Also you have to consider developer availability. At 19 years since it was deprecated, there is a smaller pool of people who are skilled at maintaining that codebase, and the group of people who can do that, and keep on top of web application security attacks is even smaller.