Because a malicious ssg could expose private files (private keys etc) at a hidden url only the attacker knows to scan for, drop malware that grants them non-static file access, or really anything that other compromised binaries can do.
But we are not talking about a malicious ssg, we are talking about a vulnerable ssg that somehow needs to be patched. Unless your ssg connects to the internet, this is a non issue.
> Unless your ssg connects to the internet, this is a non issue.
This, but for all software ever. In the nightmare realm we've apparently decided to settle down in we forgot the one way to make actually secure software: Run the complicated parts somewhere offline.
A security vulnerability is much less scary if the computer can't communicate with anything. It's the only way for us to get out of the pit of infinite work we've dug.
