Many companies have a policy that requires active support for all software and for good reason. Failing to install security updates or using software which no longer receives security updates might be the easiest way to shoot yourself in the foot. If you have ever worked in information security you know that the vast majority of attacks companies face day to day are malware exploiting patched vulnerabilities and social engineering attacks. If you don't have good patch management or end user training, you don't have good security regardless of anything else you do.