"If it ain't broke, don't fix it" - A fundamental downfall why defense-in-depth isn't always effective

Yes. I know it is sound too familiar to most security professionals when they propose a new or better way of doing things to their colleagues, sometimes management level with a variety of facial and body language responses.

This is especially true on occasions you are telling them to update something that you know vulnerable to external/internal exploitations. Here are most common feedback you will get in no particular order.

• Systems are not accessible from outside, only authorized personnel can use within office
• Certain bespoke LOB software is tied to particular version of OS, framework, application and vendor cannot guarantee to work with newer versions
• SLA is too demanding that they can't afford to have any downtime
• No allocated budget

As much buy-in as you need to implement those updates, your first and foremost task is to convince them which can be easier said than done. Let's take on one feedback at a time.

1. Systems aren't accessible from outside. Really, really? It's time to re-think which business systems are exposed to external world, like websites, emails, attendance systems, ERP systems, and better yet, SSH access for mission-critical infrastructure devices. Unless these services are protected behind VPN, each of them are waiting to be probed and attacked. There are plenty of reports like Internet Census 2012 reveals how many of service ports are visible on public internet. With a right tool like SHODAN, sky is the limit of which you can or cannot access. Based on Akami's State of the Internet report for Q2 2013, ports 80 and 443 had topped previous leader port 445 over 41% vs 15% as most commonly targeted ports.
2. Customized CRM, for example, can't be updated as it may have several dependencies to OS, framework and application versions. Isn't it the reason why we pay a great deal of money to application vendor for maintenance? Well, sometimes it is truly confusing to understand what really was in the agreement. Off-the-shelf software scores a point in this area as they are continually updated and checked for compatibility.
3. Every business has its own commitment to its users which we understand as SLA. This is one good example by Google Apps. Given that, even organizations with highest SLA level could have downtime inevitably. But we do have necessary measures to minimize downtime. All critical changes are required to go through development, UAT then production environments so that most possible problems will be taken into account for business continuity.
4. After considering above facts, it shouldn't take too long to get financial backing. The way we see it, most updates come free and most BCP are in place so there won't be much requiring special budget.

So, why do I give this title and what motivated me? I can understand there are already so many things on system/network administrators' plate to handle day in and day out. Any new changes could take additional time on their busy schedule. So think of other way around. All those miscreants are trying to break what administrators try to keep in working order and they will find one way or another to do just that. So why don't we preempt by implementing known fixes in advance? Should anything happens, we have backups to rollback and try with other methods. If anyone were to break the our systems, it would have been better to be by us than some random hackers creating headlines.