It’s not security debt, it’s just general technical debt.
I would also say, that this is just technical debt. I also fully understand, that there are things like breaking changes. I remember clearly when we used asyncore in the past for Python at work and then it became deprecated. It was still possible to use it for a long time, but a change was needed. Such breaking changes caused work and are not nice. Especially if it is a big software.
On the other side, I am not happy if I buy software or hardware, which has probably insecure dependencies.
I understand the developers, I am also one, and I know that many things are not under their control. I am also not blaming them. But it is a no-go if something new is sold with 10-year-old OpenSSH Server, 15-year-old curl or other things.
But I am not taking exotic vulnerabilities that seriously. Like, if you need specific constellations, so this is somehow hackable.
I would also say, that this is just technical debt. I also fully understand, that there are things like breaking changes. I remember clearly when we used asyncore in the past for Python at work and then it became deprecated. It was still possible to use it for a long time, but a change was needed. Such breaking changes caused work and are not nice. Especially if it is a big software.
On the other side, I am not happy if I buy software or hardware, which has probably insecure dependencies. I understand the developers, I am also one, and I know that many things are not under their control. I am also not blaming them. But it is a no-go if something new is sold with 10-year-old OpenSSH Server, 15-year-old curl or other things.
But I am not taking exotic vulnerabilities that seriously. Like, if you need specific constellations, so this is somehow hackable.