Public Infrastructure on Private Risk
Government agencies worldwide running citizen services on legacy technology. The White House runs WordPress — but .gov overall is 49% Drupal across 14,349 sites.
What keeps Government CISOs awake
Procurement processes prioritizing low upfront cost over total cost of ownership
WordPress chosen because 'nobody gets fired for choosing WordPress' — the status quo bias
Citizen data processing on frameworks with active CISA KEV entries
Multi-month patch deployment cycles creating extended vulnerability windows
COBOL knowledge concentration in near-retirement workforce
Typical vs Recommended
Compliance Exposure
Cloud security authorization. Legacy on-premise systems increasingly difficult to maintain in compliance.
Federal information security. Annual assessments. Legacy systems accumulate findings year over year.
Known Exploited Vulnerabilities catalog. Federal agencies required to patch within defined timelines — often impossible on legacy stacks.
Legacy CMS themes and plugins frequently fail accessibility requirements, creating legal exposure.

We Scanned 342 Major Websites. Next.js Has Overtaken WordPress.
May 2026 · 6 min
COBOL, Java 8, Python 2: The Three Horsemen of Legacy
May 2026 · 7 min
The Legacy Iceberg: What's Below the Waterline
May 2026 · 8 min
Government Sites: Running a Nation's Web on 18,005 CVEs
May 2026 · 7 min
Year 1, Year 3, Year 5: What Happens to Sites That Don't Migrate
May 2026 · 7 min