Another thing they're not thinking of is that if they switch out code, they risk more vulnerabilities (i.e., a whole new slew of expoits!).
Mark your calendars. I have asked Microsoft's .Net Messenger Service (the ones who sent me the e-mail to upgrade) what vulnerability the upgrade fixes. Just as in two previous cases (one question, one vulnerability report), I'm not holding my breath.
BTW, that vulnerability still exists, two years later. I did get a reply from them concerning the vulnerability. They claimed it was a non-issue because if I used MS DNS, the problem with their Exchange server cluster would not exist. I couldn't get it into their heads that the DNS local to the Exchange server was MS but that neither was the equipment mine (our shop used 99% *nix) nor was the DNS record causing the problem local.
And coworkers wonder why I have a low opinion of publicly available MS servers.