3 years of uptime might sound impressive, but this means you keep running the same kernel, and towards the end of that streak, that kernel is pretty much guaranteed to have a widely-known local privilege escalation vulnerability.
you sound smart and are probably technically correct, but the reality is, what replaced this setup was ephemeral VMs with outsourced India contractors.. there was spam coming from their setup within weeks of the transition.. Admin as in, I share my root password with the crew of contractors in my small company .. like that..
The very reason I will never work for a shop that outsources anything. Especially fintech stuff. You just never know who is going to have access. RBAC is huge where I work.
It would be interesting to see what percentage of meaningful security vulnerabilities couldn't be fixed via live patch. Of course that does require that you invest the significant effort required to get live patching to work, but it is possible.
