Wasn't Slashdot only a number of articles ago talking about how much cheaper it is to get hacked than to deploy proper security and maintenance?
We've known this for ages....and I learnt about it the hard way years ago as a webmaster.
In my junior sysadmin pre-ITIL cowboy days, I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - which were reliant on some old broken and unmaintained code. The website owners then complained and whined to our company that we threatened their businesses. (Fortunately they only made peanuts to our bottom-line, so luckily we didn't care that much)
Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.
Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.
Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.
That's how security patching works in the real world. In other words, it doesn't.
The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive.
That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job and their pensions while saying that they kept costs down when things eventually go to pot.
So in this Yahoo case, someone finally has to guts to call Yahoo out on it.