Feels similar to government IT risk aversion that I've seen. Folks are afraid to approve a new piece of software, or a new version, or a hotfix or whatever, because what if it goes awry and causes problems? But little weight seems to be put on "what if we keep running the same version we've been running for years and now that there's a known vulnerability, someone exploits it?".