I think many companies don’t actively maintain a large portion of their code base at all. So any amount of work, no matter how small, involves a “project” and “budget” and “approvals” to even assign somebody to the task of upgrading.
Then you have the testing and due diligence from whomever actually uses the thing.
Not if you want support from the vendor :p