← All insights
Business Efficiency

The Legacy Iceberg: What's Below the Waterline

WordPress is the visible 43%. Beneath it: millions of custom apps, enterprise systems, and internal tools built for a world that no longer exists.

· 8 min read
Share on X LinkedIn

The Part You Can See

We scored 25 web frameworks and found that 43% of the web runs on WordPress — a platform with 18,005 known vulnerabilities. That made headlines. But web frameworks are the visible part of the iceberg.

Below the waterline sits the infrastructure that actually runs businesses: custom enterprise applications, internal tools, API backends, data pipelines, workflow systems, and integrations built over decades. Nobody scores these. Nobody tracks their CVEs in aggregate. Nobody calculates their total cost of ownership. That's why the problem persists.

The Scale of Legacy

~60%
Enterprise applications over 10 years old
Estimated across Fortune 500. Many core business systems were built 2008-2015 and never replatformed.
~70%
Custom internal tools with no documentation
Modeled estimate. Widely cited in IT governance literature but no single definitive source.
~80%
Organizations running at least one EOL framework
Modeled estimate. Source: HeroDevs EOL dataset tracks 81,000+ EOL package versions.

The Pattern Is Always the Same

It doesn't matter if it's WordPress, a custom Java app, a Python 2 data pipeline, or a COBOL batch process. The pattern is identical:

Year 1: It works. Year 3: The original developer left. Year 5: Nobody fully understands it. Year 7: It's too risky to change and too expensive to replace. Year 10: It runs the business and terrifies everyone who knows what's inside.

We see this pattern in web frameworks because the data is public. But every CTO reading this recognizes it in their own systems.

Why Nobody Talks About It

Web framework data is public — CVEs are in the NVD, GitHub repos are open, market share is crawlable. Enterprise application health is private. No CTO publishes their technical debt. No CISO discloses their legacy exposure voluntarily.

The result: everyone assumes they're the only ones with this problem. They're not. The problem is structural, not individual. And it's getting worse at a rate that mirrors the WordPress CVE curve — quietly compounding until something breaks publicly.

What We're Building Toward

WebPulse started with web frameworks because the data was accessible and the results undeniable. But the scoring methodology — Security, AI-Readiness, Ecosystem Health, Cost of Ownership, Talent Availability — applies to any technology stack.

The question isn't 'should you move off WordPress.' The question is: 'what is the true health score of every piece of technology your business depends on?' Web frameworks are chapter one. The full infrastructure audit is the book.

Related industries
Financial Services Government Manufacturing Telecommunications
Related regions
North America Western Europe Asia Pacific
Share this insight
Share on X Share on LinkedIn
More insights
Business Efficiency

The Hidden Cost of Legacy Frameworks

May 2026 · 4 min
Read insight
Business Efficiency

The True Cost of Running WordPress: $4,200 to $38,000 Per Year Per Site

May 2026 · 8 min
Read insight
Business Efficiency

The WordPress Talent Crisis: Shrinking Supply, Rising Costs, Declining Skills

May 2026 · 6 min
Read insight
Stay informed

Get the quarterly WebPulse report

Framework health scores, new insights, industry intelligence. No spam.

WebPulse WebPulse

The world's first data-driven digital infrastructure intelligence platform. Scoring what matters for the AI era.

by adyog.com →
Explore
Insights Industries Regions Rankings 2026 Report
Tools
Check a site Score Your Stack Migration Calculator Compare Frameworks EOL Tracker Compliance Matrix
Topics
The AI-First Web Security & Trust Future-Ready Innovation & Growth Business Efficiency
Data
API Methodology
© 2026 adyog. All rights reserved. Scores computed algorithmically. No vendor pays for placement.