This does not surprise me. Updating software takes time, effort, and is risky. It's also not fun. The result is a lot of people ignore it even though it means their software can be easily hacked. Note I think people should keep their dependences update to date. Unfortunately, I also know human nature and that means I know many won't.
You see a similar problem with obsolete computers, operating systems, phones, routers, etc. People keep them connected to the Internet even though they have known vulnerabilities. People who do this will even claim they have not been hacked.
This will only change when liability becomes a regular thing in computing, like in every other industry out there, instead of only high integrity computing.
Hopefully we don't go down the "liability for open-source code, not for businesses" road.
We'll have to allow open-source code to waive liability, but not allow companies to waive liability; that's tricky and will go against the interest of the rich and powerful, so it will be especially hard to navigate.
You see a similar problem with obsolete computers, operating systems, phones, routers, etc. People keep them connected to the Internet even though they have known vulnerabilities. People who do this will even claim they have not been hacked.
reply