Security is the top priority for any organization and system. A legacy application that runs on an old operating system (such as Windows XP or Windows 2008) is more vulnerable to security issues due to lack of vendor support. Software vendors continuously determine new security threats and release patches to accommodate them in the latest software version, to secure them. Any legacy software that is announced as End of Life (EOL) from a vendor doesn't get a new security patch, which leaves your application running in the old software version, exposed to a number of security threats.

System health checks are often ignored for legacy applications, which make them more vulnerable to be the target of security attacks. The skills gap makes it difficult to provide continuous support and help, which means systems are run in an insecure manner. A single vulnerability can pose a high risk of exposing your application, database, and critical information to attackers.

In addition to a security vulnerability, legacy applications are hard to maintain due to compliance. As compliances keep changing with time to enforce more tight security around data handling and usage, legacy systems require changes to adhere to local governance and compliance needs. 

For example, the new European Union's General Data Protection Regulation (GDPR) compliance requires each system to avail features where a user can request to delete their data. While modern systems can provide these features out of the box in an automated and self-service manner, in legacy systems this may need to be performed manually and becomes more complex. Adhering to compliance needs can lead to more operation costs and time-consuming maintenance.