The Education Stack Is Fossilized
WebPulse's scan data confirmed that education is the slowest sector to adopt modern frameworks. Universities and school systems run Drupal and Ruby on Rails at rates far above any other industry. These were solid choices when they were made — Drupal's content management and Rails' rapid development served education well for a decade.
But the web changed. Drupal's 1,200+ CVEs and Rails' 180 CVEs create compliance exposure that education institutions rarely acknowledge. FERPA protects student education records with the same legal weight that HIPAA protects health records. The infrastructure gap between what FERPA requires and what education actually runs is widening every year.
Why Education Can't Move
Three forces keep education on legacy stacks. First: procurement cycles. University IT decisions move through committees, RFPs, and multi-year contracts. A migration that takes a startup 2 weeks takes a university 2 years. Second: custom integrations. LMS systems, student information systems, and research platforms all connect to the CMS. Third: institutional memory. The person who chose Drupal in 2011 has retired. Nobody knows why certain architecture decisions were made, and nobody wants to disturb them.
The Path Forward
Education needs the same playbook fintech used: new properties on modern stacks, legacy on a deprecation timeline. Every new departmental site should be Astro or Next.js. The main CMS should plan a 2-year migration. The alternative is waiting for the first FERPA breach traced to a Drupal 7 vulnerability — and that breach costs more than the migration.
