Managed WordPress hosts have solved a part of this problem, but the issue is that the vast majority of WordPress sites are on cheap, shared hosting in unmanaged environments. It's currently up to the users to upgrade their sites, which means versions of PHP and WP don't get upgraded...ever.
The only realistic solution would be for hosts to forcibly upgrade customers' sites, which causes significant breakage (even < 1% is thousands and thousands of sites). Is that acceptable? Who's job is it to fix that? Are hosts expected to just eat the churn from customers cancelling?
I'm not agreeing or disagreeing, just sharing the reality of the situation.
> The only realistic solution would be for hosts to forcibly upgrade customers' sites,
They could stop putting new customers on outdated systems, for a start. I routinely still see shared hosting delivering PHP 5.4, in 2015 (last I saw something that jarring).
You want to keep people on old stuff? Quanrantine them, and have all new customers going forward on newer stuff, and develop a plan for upgrading. "Guys, yes, you want to keep running PHP 5.3, but for the security of the entire data center, we have to upgrade. You may need to upgrade your wordpress/etc - we'll do what we can to help mitigate problems, but not addressing this means your site is more at risk of becoming hacked".
The only realistic solution would be for hosts to forcibly upgrade customers' sites, which causes significant breakage (even < 1% is thousands and thousands of sites). Is that acceptable? Who's job is it to fix that? Are hosts expected to just eat the churn from customers cancelling?
I'm not agreeing or disagreeing, just sharing the reality of the situation.