That specific server wasn't running Docker so there was less to worry about from an attack surface level.
Debian stable releases get 3 years of official support and then an extra 2 years of security maintenance. Running a specific release for 5 years isn't unheard of if the workload you're running is ok with not being updated for that long.
Ideally I aim to create new servers when a new stable release is available or at least before the official 3 year time span is over.
