← All insights
Business Efficiency

The US Government Spends $100 Billion a Year Maintaining Legacy Systems

More than 80% of the federal IT budget goes to keeping old systems alive. That's not modernization — that's life support paid by taxpayers.

· 6 min read
Share on X LinkedIn

The Number

$100B+ annually
Federal IT legacy spending
Source: GAO-23-106821. Government Accountability Office report on federal IT spending.

The US federal government spends over $100 billion per year on information technology. More than 80% of that — over $80 billion — goes to operating and maintaining existing systems. Not building new capabilities. Not modernizing. Keeping old systems running.

What This Looks Like

The Social Security Administration processes benefits on COBOL systems written in the 1970s. The IRS runs tax processing on mainframes from the 1960s. The VA manages veteran health records on systems that predate the internet. These aren't edge cases — they're the norm.

~240 million
COBOL lines in US federal systems
Source: GAO reports. Social Security, IRS, VA, DoD — critical services.

whitehouse.gov Runs WordPress

The symbolic dimension: the White House — the most prominent digital address in American government — runs WordPress. Our scanner confirmed it. The nation's digital front door sits on a framework with 18,005 known vulnerabilities.

WordPress
whitehouse.gov framework
Source: WebPulse scanner detection. Confirmed via HTML signatures and meta tags.

The Modernization Gap

Congress has passed multiple modernization mandates — FITARA, MGT Act, TMF. Billions have been allocated. But the structural incentives favor maintenance over modernization: maintaining a working system is lower risk than replacing it. Nobody gets fired for keeping the lights on.

The result: America's digital infrastructure ages another year, every year. The maintenance cost rises. The security risk compounds. And the gap between what government services could be and what they are widens.

The CISA Dimension

Mandatory patch timelines
CISA BOD 22-01
Source: CISA Binding Operational Directive 22-01. Federal agencies must remediate KEV entries within defined timelines.

CISA's Known Exploited Vulnerabilities catalog creates a direct connection between framework choice and compliance obligation. Federal agencies running WordPress or Drupal inherit the CVE patching burden of those platforms — a burden that grows with each new vulnerability disclosure.

Share this insight
Share on X Share on LinkedIn
More insights
Business Efficiency

The Hidden Cost of Legacy Frameworks

May 2026 · 4 min
Read insight
Business Efficiency

The True Cost of Running WordPress: $4,200 to $38,000 Per Year Per Site

May 2026 · 8 min
Read insight
Business Efficiency

The WordPress Talent Crisis: Shrinking Supply, Rising Costs, Declining Skills

May 2026 · 6 min
Read insight
Stay informed

Get the quarterly WebPulse report

Framework health scores, new insights, industry intelligence. No spam.

WebPulse WebPulse

The world's first data-driven digital infrastructure intelligence platform. Scoring what matters for the AI era.

by adyog.com →
Explore
Insights Industries Regions Rankings 2026 Report
Tools
Check a site Score Your Stack Migration Calculator Compare Frameworks EOL Tracker Compliance Matrix
Topics
The AI-First Web Security & Trust Future-Ready Innovation & Growth Business Efficiency
Data
API Methodology
© 2026 adyog. All rights reserved. Scores computed algorithmically. No vendor pays for placement.