For legacy hardware like this it's usually not anywhere close to as important as it is for modern systems.
These systems are not being used to browse the modern web, they're too slow.
They're not being used to host production multiuser environments beyond a few retrocomputing homelabbers' toy systems, where the worst case scenario is a restore from backup and banning a user or two rather than data loss/breach and/or legal action.
The ones still in actual active use are almost all appliance systems that mostly haven't seen a kernel update in years or ever because they are usually exist to go with some piece of hardware that never got an in-tree driver and thus can't work with anything much newer than what it shipped with and/or some software that depends on ancient libraries no distro ships anymore. These systems don't need to (and shouldn't) be exposed to untrusted networks, users, or content, they can (and already should) be locked down by a skilled admin to only communicate with the minimum number of systems needed for whatever purpose they serve. If the admin isn't sufficiently skilled to confidently handle that, the system and admin should both be replaced.
---
I have an old IBM PS/2 that's my family's first computer, which still has its original Windows 3.1 install on it. I imaged the original hard drive and moved it to a CF card, but that also means I can screw around with it and not worry about breaking anything because I can just restore the last known good image. I don't connect it to the internet often but if on one of those rare times I happened to somehow stumble upon someone who had been saving a drive-by exploit for IE 3.0 or a RCE against Trumpet Winsock that then infected my system I'd just do the same. Anything this old is small enough to be imaged easily.
For legacy hardware like this it's usually not anywhere close to as important as it is for modern systems.
These systems are not being used to browse the modern web, they're too slow.
They're not being used to host production multiuser environments beyond a few retrocomputing homelabbers' toy systems, where the worst case scenario is a restore from backup and banning a user or two rather than data loss/breach and/or legal action.
The ones still in actual active use are almost all appliance systems that mostly haven't seen a kernel update in years or ever because they are usually exist to go with some piece of hardware that never got an in-tree driver and thus can't work with anything much newer than what it shipped with and/or some software that depends on ancient libraries no distro ships anymore. These systems don't need to (and shouldn't) be exposed to untrusted networks, users, or content, they can (and already should) be locked down by a skilled admin to only communicate with the minimum number of systems needed for whatever purpose they serve. If the admin isn't sufficiently skilled to confidently handle that, the system and admin should both be replaced.
---
I have an old IBM PS/2 that's my family's first computer, which still has its original Windows 3.1 install on it. I imaged the original hard drive and moved it to a CF card, but that also means I can screw around with it and not worry about breaking anything because I can just restore the last known good image. I don't connect it to the internet often but if on one of those rare times I happened to somehow stumble upon someone who had been saving a drive-by exploit for IE 3.0 or a RCE against Trumpet Winsock that then infected my system I'd just do the same. Anything this old is small enough to be imaged easily.