There's an eternal conflict between DevOps and DevSecOps - for the former "OLD IS GOOD" (tested & stable), for the latter "OLD IS EVIL" (vulnerable). Unfortunately, business shares the first point of view, while the Internet prefers the latter.
@Limax Well, that's the essence of risk management. For the purpose of DevOps we don't need fully quantified RM, it's sufficient to know "vulnerable software increases likelihood of breach".
@kravietz Tell that to the C-Suite, which treats security in the same way as climate change - ignoring it until it is too late.
@Limax That's unfortunately the case - because neither business nor public sector is held liable for loss of customer data (only the customers are), it's not part of their business equation.
@kravietz Because it is impossible to quantify the cost benefit for a cyberattack that may never materialize (but most likely will).