Old sites without a webmaster still need to have security updates applied. Here is an example: #1022346: "drupalcon security lockdown" password prompt on old Drupalcon sites

Comments

DrewMathers’s picture

DrewMathers commented

Plugin Manager could have an option to automatically install security updates and run update.php on cron. Modules that report unsupported status would have to be automatically disabled, as vulnerabilities will never be fixed.