It would make sense if the cost/danger for the thieves to check every door would be prohibitive. Unfortunately, with networked computers, checking the doors is usually both riskless and effectively free.
There are still active attacks against DOS and Win98. Automated driveby attacks, just looking to increase the size of a bot farm. There are still new exploits being released against rather old systems.
You attack the networking stacks for it, those are still actively developed (mTCP was last updated Jan 2025) as businesses use networked DOS for quite a few things. A DOS networking stack consists of a packet driver, a NIC driver, and a protocol library. All of those have attack surface. NIC drivers in particular often haven't really had updates since they were first released. Because for hardware manufacturers of the time the goal was on getting people to use the hardware, not on supporting them. There are newer DOS NIC drivers than you'd think too. Realtek last I checked still makes and supports an ISA NIC.
So you are not talking about attacking old code at all, but networking stacks that are indeed actively developed? That feels like a very different ball game from attacking Win98, even if the platform they are running on top of is old.
It's a complicated space. There are attacks on both maintained and unmaintained stacks. There are definitely attacks against windows 95/98 too because people have things like mills or other industrial automation that are powered by those OSes still connected to the internet. There is a lot of SCADA[1] too that fits that bill. It's easy to think "but why wasn't this replaced!" and the answer is almost always "cost or process certification". If the operator is lucky and has good networking folks all of this is in a very very well firewalled VLAN. But, never underestimate the amount of people that are not that savvy and just have it plugged into the internet.
For anyone saying these aren't targets, no they are probably already hacked. These are the things that keep the national security folks up at night knowing an adversary has them already backdoored and set up for take down. Moreover if they execute on that they would go for maximum damage first to either create chaos, or prevent the system from being repaired easily.
Would suck if an exploit was present for years, sometimes decades. Would especially suck if people piled up old exploits and fell back on them as needed.
Actually riddle me this: what if you want to exploit exactly the type of person to disable updates? They are potentially more lucrative targets if nobody else targets them. Just a thought. It's sort of how "delete me" services profit off paranoia, they're a lucrative market because of the paranoia.
Everything was a zero-day at one point in time. The effort is indeed usually put in whilst it is the current version. But retying all old malware isn't effort; it is more or less the definition of script-kiddy (though state level attackers will do it too).
Those of us who actually do this stuff for a living still routinely see probes for Slammer, Zotob, Blaster and more from when we booted our computers by rubbing two sticks together.
Both Chrome and Windows are now in that position.
Basically, unless you are of interest to state level attackers, in 2025 even unpatched Chrome/Windows wont get drive by exploited.