Why Legacy Modernisation is No Longer Optional

In December 2022, Southwest Airlines cancelled 16,700 flights over ten days — cancelling up to 70% of its flights on peak disruption days. Nearly two million passengers were stranded. Pilots and crew called the scheduling hotline and waited on hold for five hours or more. Some fell asleep waiting. The system they were calling into — a crew scheduling platform called SkySolver — had been flagged in internal audits four years earlier as presenting "catastrophic risk." The flag was documented. The risk was understood. The modernisation was deferred.

Southwest eventually disclosed losses exceeding $1 billion from that single event. The US Department of Transportation issued a record-setting $140 million fine, and the airline faced intense congressional hearings alongside shareholder lawsuits. The root cause — an aging system unable to cope with a disruption of the scale that modern operations routinely encounter — was not a surprise to anyone inside the company. They simply ran out of time before the system ran out on them.

Southwest is the most visible example of a problem that exists at significant scale across every industry. Legacy systems are not quietly failing. They are failing loudly, expensively, and with increasing frequency — and the cost of continuing to defer the decision to modernise is now measurably higher than the cost of acting.

The Scale of the Problem, in Numbers

Organisations globally spend between 60% and 80% of their IT budgets maintaining existing systems. That leaves only 20% to 40% available for new capability, automation, and innovation. The aggregate figure — the total annual spend on maintaining existing IT investments worldwide — is $1.14 trillion. For context: that is more than Australia's entire annual GDP allocated, year after year, to keeping old systems running.

The average cost of maintaining a single legacy system runs to approximately $30 million per year. And because technical debt compounds — growing at roughly 20% annually if left unaddressed — a system that costs $2.4 million to maintain in year one costs $3.6 million by year five. Legacy infrastructure costs 20–25% more annually than equivalent modern software. McKinsey's research found that organisations carrying high levels of technical debt spend 40% more on maintenance and deliver new features 25–50% more slowly than their peers.

In Australia, the problem is acute at the government level. The Australian National Audit Office has found that 71% of Commonwealth agencies still rely on legacy IT systems. The Productivity Commission and multiple government inquiries have estimated that retiring legacy IT infrastructure five years faster than current trajectories could save the federal government $1.4 billion annually — $13.5 billion over a decade. That is not a theoretical saving. It is the cost of the status quo.

What "Maintenance Mode" Actually Costs

The financial burden of legacy systems is visible in budget line items. The operational burden is harder to see — but equally consequential.

Developers working in environments burdened by technical debt spend 33% of their time on maintenance tasks rather than building new capability. That is one day in every three, lost to keeping systems alive rather than making them better. Talent attrition in these environments is consistently higher — engineers leave organisations where they spend the majority of their time working around system limitations rather than solving meaningful problems.

Integration compounds the cost further. When legacy systems lack modern APIs, organisations build custom workarounds to connect them to contemporary platforms. The cost of each integration project ranges from $75,000 to $250,000, and the workarounds they produce are fragile — brittle connections between systems that were never designed to communicate, maintained by people who understand neither system fully.

Data silos are an almost universal consequence. Eighty percent of organisations cite data silos as their single greatest barrier to automation and AI integration. That figure is not incidental — it is structural. Legacy systems were built to hold data, not to share it. Getting data out of them, into formats that modern analytics and AI tools can use, requires either expensive integration projects or significant system replacement.

"The question organisations need to answer is not whether they can afford to modernise. It is whether they can afford the compounding cost of not modernising — in budget, in talent, and in the competitive ground they surrender to organisations that already have."

The Talent Crisis Nobody Is Talking About

There are over 800 billion lines of COBOL in active operation worldwide. These systems process roughly $3 trillion in daily commerce — banking transactions, insurance claims, payroll, government payments. The average age of a COBOL programmer is between 55 and 58. Approximately 10% retire every year. There are currently 84,000 unfilled mainframe positions globally, and no meaningful pipeline of new entrants to fill them.

The consequences of this demographic cliff have already been previewed. In 2020, the COVID-19 pandemic created an unprecedented surge in unemployment claims across the United States. State unemployment systems — many of them running on COBOL infrastructure built in the 1970s and 1980s — collapsed under the load. Thirty-three million claims overwhelmed systems designed for a fraction of that volume. New Jersey's governor made a public appeal for COBOL developers to come out of retirement to help repair systems that had never been replaced. Florida residents lined up for paper forms. The lesson was not that COBOL is inherently unreliable. It was that systems built for the conditions of fifty years ago are not designed for the conditions of today — and that the people who know how to maintain them are running out of working years.

Organisations that delay modernisation are not just paying the current cost of that delay. They are narrowing the window in which they can execute a managed, expert-led transition before the expertise disappears entirely.

The Security Exposure Hidden in Plain Sight

Legacy systems do not age gracefully from a security perspective. End-of-life software accumulates an average of 218 new vulnerabilities every six months — vulnerabilities that will never be patched because the vendor has discontinued support and the internal teams maintaining the system lack the context to address them. Sixty percent of data breaches are caused by known, unpatched vulnerabilities. The average cost of a data breach in 2024, according to IBM's annual benchmark study, was $4.88 million.

Two incidents that reshaped Australian regulatory thinking on this point occurred in 2022. Optus suffered a breach exposing the data of 9.5 million customers. The proximate cause was a dormant API coding error from 2018 that had become internet-facing in 2020 and remained unaddressed for two years. Total cost: more than A$140 million. Medibank suffered a breach exposing 9.7 million customers' records, partially attributable to a failure to implement multi-factor authentication on VPN access — a control that had been available and recommended for years. The financial fallout was immense: alongside staggering remediation costs, the regulator (APRA) imposed a $250 million capital adequacy penalty. Instead of deploying that capital for growth, Medibank was forced to lock a quarter of a billion dollars in reserve. That is the true cost of deferred security modernization.

The regulatory environment that followed these incidents has made the calculus considerably less forgiving. Australia's Privacy Act amendments have introduced tiered civil penalties and infringement notices of up to $66,000 per contravention. The maximum penalty for serious or repeated breaches has increased from $2.22 million to $50 million. The Australian government reported 163 notifiable data breaches in 2024 alone.

For government agencies and their suppliers, the Essential Eight framework — developed by the Australian Signals Directorate — is now mandatory at Maturity Level 2 for Commonwealth entities and Level 1 for NSW agencies. The ASD guidance explicitly prioritises upgrading legacy systems as a prerequisite for achieving meaningful Essential Eight compliance. A system that cannot be patched, that does not support modern authentication protocols, or that cannot integrate with contemporary identity management infrastructure is not a system that can achieve compliance — it is a system that creates an ongoing compliance gap.

"Following the Optus and Medibank breaches, Australia's maximum penalty for serious data breaches increased from $2.22 million to $50 million. Legacy systems that cannot support modern security controls are not just a technical liability. They are a board-level legal exposure."

The Incident That Reframed the Architecture Question

In July 2024, a faulty software update from cybersecurity vendor CrowdStrike caused 8.5 million Windows systems worldwide to crash simultaneously. The cascading failure — airlines, hospitals, banks, broadcasters — resulted in estimated losses exceeding $10 billion. Delta Air Lines alone reported losses of $500 million and subsequently sued CrowdStrike.

The architectural lesson hidden in the fallout was about blast radius. The crash was triggered because the vendor’s update had direct, tightly coupled access to the operating system's core kernel. The CrowdStrike incident was not a case of bad luck. It was a devastating demonstration of what happens when systems lack modern architectural isolation. When deep, legacy-style dependencies allow a single point of failure to propagate unchecked, the entire estate goes down. Modern architecture isolates workloads and strictly limits the blast radius. Tightly coupled, aging infrastructure has no such boundaries.

Legacy Systems Are the Primary Barrier to AI

The competitive pressure to adopt artificial intelligence is now a board-level concern for most large organisations. The barrier that most of them are running into is not a lack of AI strategy, AI talent, or AI budget. It is their existing technology estate.

More than 70% of enterprises cite legacy system incompatibility as their primary barrier to AI adoption. Only 24% say their current technology estate can support meaningful AI integration. The data needed to train, fine-tune, and operate AI tools is locked inside systems that were built before the concept of machine-readable data pipelines existed. Getting it out requires the same integration workarounds that have already cost the industry hundreds of billions of dollars — or it requires replacing the systems that hold it.

Cognizant's analysis of enterprise AI readiness puts the timeline plainly: organisations that do not address their legacy estate within the next two years will find themselves structurally unable to compete with peers who have. The competitive gap created by AI adoption is not linear — it compounds. Organisations that automate faster ship faster, price more accurately, and serve customers more effectively. The gap between the AI-ready and the AI-blocked widens with every month of delay.

What Modernisation Actually Looks Like

The most durable misconception about legacy modernisation is that it requires a "big bang" replacement — a single high-risk, high-cost project that takes years and frequently fails. Most modernisation failures in the literature are failures of this approach: a complete system replacement attempted too quickly, with insufficient understanding of what the existing system actually does in practice.

The alternative — and the approach that consistently produces better outcomes — is incremental modernisation using patterns like the Strangler Fig. The core principle is straightforward: build new capability around the edges of the legacy system, intercept traffic progressively from old to new, and retire components of the old system only as the new system proves itself in production. The legacy system continues operating throughout. The risk of any single phase is bounded. And the organisation learns incrementally, rather than betting everything on a single replacement.

The Commonwealth Bank of Australia's $1.5 billion core banking modernisation — executed over several years — is the most studied example at scale in this country. CBA is now ranked as Australia's most digitally advanced bank, with capabilities in personalisation, real-time decisioning, and AI integration that competitors built on older infrastructure cannot match. The investment was substantial. The strategic return has been larger.

The UK Government Digital Service achieved £4.1 billion in annual savings on a £2.3 billion investment by systematically replacing legacy government platforms with modern, shared infrastructure. The Australian government's October 2024 Digital Strategy targets an equivalent program: reducing legacy sprawl across Commonwealth agencies and building ten new whole-of-government shared platforms designed to eliminate the duplication and technical debt that currently consumes the majority of agency IT budgets.

AI is beginning to accelerate the modernisation process itself. Gartner projects that 60% of legacy modernisation projects will use generative AI tooling by 2027. AI-assisted code analysis and refactoring has been shown to improve code health scores by 68–79% and deliver 5–10x speed gains versus manual migration approaches. The implication is significant: organisations that begin modernisation now will be able to use AI to accelerate the remainder of the work. Organisations that wait until AI tooling matures further will find themselves further behind, not better positioned.

Starting with a Rigorous Audit

The organisations that modernise most effectively do not begin with a vendor selection or a technology roadmap. They begin with an honest assessment of what they have. A Legacy System Audit establishes the complete picture: which systems are running, what they actually do versus what documentation says they do, where the security exposure lies, which integrations are load-bearing and which are workarounds, and what the true annual cost — including maintenance, integration, talent, and opportunity cost — actually is.

That audit is the difference between a modernisation program that is sequenced strategically and one that replaces the wrong system first. It surfaces the hidden dependencies — the undocumented processes, the manual data transfers, the integration workarounds that nobody has written down — that cause big-bang replacements to fail. And it produces a prioritised roadmap where the highest-risk, highest-cost, or highest-strategic-value components are addressed first, with each subsequent phase building on the stability of the last.

iMSX has been delivering custom software to organisations including NSW Health, Glencore, Lenovo, and UNSW for seventeen years. We hold the NSW Government SCM0020 panel registration, which pre-qualifies us for agency work in exactly this category — legacy assessment and modernisation programs for government and enterprise. We have conducted legacy audits for organisations across healthcare, financial services, resources, and higher education, and we understand that the most important output of an audit is not a list of problems. It is a sequenced, defensible plan for addressing them without disrupting the operations that depend on the systems being replaced.

Southwest Airlines ran its audit in 2018 and documented the risk clearly. The modernisation did not happen. The collapse did — four years later. The cost of acting on the 2018 audit would have been a fraction of what the 2022 failure cost. That is the arithmetic of legacy modernisation. The longer the delay, the higher the cost of both the eventual replacement and the failures that precede it.

If your organisation is carrying systems that are constraining your security posture, blocking automation, or making AI integration structurally impossible, the right time to audit them was several years ago. The next best time is now.