Well, we don't know - that's capturing 2 scenarios: software that whose impact is low as reflected by lack of investment and legitimately useful improvements that just weren't valued (fix slow code, reduce errors and increase uptime, address security concerns) because the cost was not appreciated / papered over by patches / company hasn't been bitten yet