And sometimes security or IT just play it excessively, and never allow anything just to make sure they can't be blamed for anything:
"No, you can't improve the situation with the Linux servers that hasn't been updated since 2013 because those servers don't exist in our roadmap, and therefore there's no policy document that we can lean on to make any decisions. So the servers stay in their miserable state until we can phase over all customers that use those servers to some other product eventually. In a few years. Hopefully."
Note that the above isn't fiction, but exactly what happened a few months ago. Luckily I managed to transfer to a team that didn't have to deal with those servers.
"No, you can't improve the situation with the Linux servers that hasn't been updated since 2013 because those servers don't exist in our roadmap, and therefore there's no policy document that we can lean on to make any decisions. So the servers stay in their miserable state until we can phase over all customers that use those servers to some other product eventually. In a few years. Hopefully."
Note that the above isn't fiction, but exactly what happened a few months ago. Luckily I managed to transfer to a team that didn't have to deal with those servers.