When a project relies on legacy applications, a primary and often heightened risk is a major cybersecurity event. Legacy systems frequently have older architectures, limited vendor support, weaker security controls, outdated dependencies, and delayed patching capabilities—factors that increase vulnerability exposure. From a Project+ perspective, risk management requires identifying threats with the highest potential impact; a cybersecurity incident can create severe consequences across confidentiality, integrity, and availability, leading to service outages, regulatory exposure (especially if PII is involved), reputational damage, and unplanned cost/schedule impacts.
“Infrastructure end of life” (A) is also a legitimate legacy-related risk, but it is typically a more predictable lifecycle risk that can be planned around (replacement schedules, support contracts). A “company reorganization” (B) is a general organizational risk not specific to legacy applications. “Digital transformation” (C) is more of a strategic initiative context than a discrete risk event.
Because the question asks for the main concern when using legacy apps, the most critical, high-impact threat that legacy systems exacerbate is a major cybersecurity event—the kind of risk that can derail timelines and budgets and force emergency scope changes and remediation work.
