We’ve thrown out several suppliers in recent years, because they weren’t supplying security updates or security updates in a timely manner.
There are some older products that just don’t have updates, which can’t be replaced, these get isolated - we have a lot of working lab equipment, where the latest version of the controlling software runs on XP. Those machines are either not networked or they are on a sealed segment, where they can only see each other.
But that is our choice - $750,000 to replace a perfectly working piece of kit, just because the controlling PC has to run XP is a difficult choice. Luckily, the PCs don’t have to be online or generally communicate with each other.
At another employer, I took over the IT manager position. The previous external service provider had set every user’s password to 123456 (so they could provide support) and all of them had email accessible over OWA on the Internet!
My first day was spent locking all Internet access to their accounts and forcing password resets!
So, I do understand that a lot of companies don’t care about security.
I’ve also worked on the other side, writing software for large corporations, and we always ensured that known security updates were pushed out quickly. Likewise, I helped develop several online shops and provided securit updates for them.
I did a security report (before cybersecurity was a word) for a UK retailer who was moving online. I pointed out dozens of security holes in their system. The managers didn’t want to spend money on fixing it and the programmers didn’t like someone external being paid to look at their code and show them where there were problems…
I showed them that anyone could log on, using any users account. Not interested. I showed how I could pull out all the customer details and credit card information. Not really that bothered(!)
Eventually, I got frustrated and using the logon screen, I dropped the whole development database from the server… That opened their eyes and they got busy sorting out the problems…