Updates generate more bugs and more security problems than they fix, so that's not really an argument. If you've made your system sensibly, it will be immune to any security problems.

Wat.

First, I want to see numbers to back that up. New versions bring new bugs that aren't known yet, by anyone. Old versions have older, more widely known bugs. From a stability POV, sticking with the old may be good: you know how to work around the old issues. From a security POV, that's probably bad: every script kiddie has a Burp Suite plugin to exploit it.

Second, there ain't no such thing as an immune system. You can asymptotically approach zero, like you can approach the speed of light, but it would require infinite resources to reach either.

Of course you can have an immune system, where things are not exposed or connected to where they could be vulnerable. For example, there is nothing that a "script kiddie" could write in the comment field of Hacker News that would be able to take control of your computer.

I don't buy into the "cyber security" arguments, and frankly I consider it a grift to keep hackers employed by playing on the fears of people. The same thing as "anti-virus" software, which never really worked in real life and isn't widely used anymore.

There have been image library exploits where uploading image to site that processes it gives access. The only solution was to update the library.

Or how about Heartbleed where the OpenSSL library had bug. OpenSSL is on the external web server and the attack could compromise server public keys. Perfect for impersonating the server. The solution was to update the OpenSSL library.

There have been browser zero days. Hacker News sanitizes input so user can’t compromise anything. But Hacker News could do an attack.

Consider a fairly normal web site that will send an e-mail from a customer form to the owner, with customer orders. That form is not connected to any private information or any money, at most you will get a spam order if the form is "hacked". Big deal.

Ever read about how Stuxnet infected an airgapped system?

Never say never.

How many US/Israeli spy programs are after your CRUD React app, my guy?

Just between us, you do understand the point of an illustrative example, right? In this case, the person above me said you could have an immune system. I don't believe that's really true anymore. We've moved past it.

Keeping your dependencies up-to-date (at least updating known vulnerabilities) is very different than anti-virus software and the other check-list-oriented "security" industry.

The first is just blatantly irresponsible and dumb "advice", while I do agree that most of the "you need to tick this box in order to get the contract" kind of "security" software is just malware, and often worse than what they supposedly cure.

If you want to build a secure system, you shouldn't have dependencies that can mess with it.

What webserver did you write for your secure system? What OS did you write to run it on? What boot and CPU firmware did you write to run the OS on?

It’s dependencies all the way down.

We're using a web host with an operating system and web server that are "obsolete" and haven't received any updates since a few years. There are no contact points where that server could access any of our machines. Not anymore likely than it accessing your machine. It serves hyper-fast web pages and receives customer orders. There's nothing sensitive there. If the server hall burned down or got hit by a tactical nuke, it would take 10 minutes to get stuff up on another server from backups.

For most businesses, credit card processing is outsourced to Stripe or similar services, and the security for that is their responsibility. Customer data is only stored on local machines with encryption. So it's very possible to architect solutions that aren't vulnerable. Unless you want to go into very unlikely scenarios.

So in the worst case scenario, an attacker only has access to all of your customer orders flowing through it.

You appreciate why that would be a problem, surely?

In the worst case scenario, an attacker can send in one nonsense customer order that gets deleted by staff when they see it. This happens about twice per year. Customer orders are not stored anywhere on the server.

So you can't even fathom a scenario where an order is fulfilled without the payment going through, causing a huge amount of losses? Or leaking private data which is a huge deal in a post-GDPR world?

If you separate ordering, invoicing, and delivery, it is impossible for that to happen.

As for leaking private date, now you're in the territory of some hackers having access to reading RAM memory. Which I guess is a possibility, but not something that every business in the world needs to concern themselves with.

If you call your local auto dealer and say you want to buy all their cars, don't you think they have some process stopping them from just sending all their cars to your adress? A hacker could make that call, you know...