Meh, security isn't one thing, it's layers.

Everything always has risks. 0-days most notably.

Take a look at the NTLM risk that was just announced - every version of Windows is susceptible to it. Minimizing access to small groups is what has kept smart businesses safe from it. Along with things like isolating primary systems on a VLAN with no direct access, unless authorized by more than one person, and through well-configured, specific mechanisms.

Everywhere I've worked has had to run expired OS's for one thing or another - typically CNC type systems that were built for DOS or maybe XP. Do we stop running those systems just because the OS is no longer supported? No - they either get air-gapped or run on a very isolated VLAN with very strict access controls.

Then there's the person's threat model. Who is likely to be after you? Do you run questionable apps or just basic ones? Do you have Google services (it's a risk in my opinion)? Does your phone have a firewall? Do you block network access for apps that shouldn't need it? Do you separate apps into user profiles to keep data from leaking across them? Do you use a VPN? Maybe a mesh network to your own systems, with all internet traffic going there, then filtered by that firewall or IPS/IDS?

Lots of ways to skin the cat, but most importantly is to maintain layers. Layering is why MFA is such a big thing right now - it's another access control layer.

I run a bit wild, I admit it. But my threat model doesn't include people specifically coming for me, or state-level actors. I do have some data-destruction mechanisms in place, just in case.

Thank you 🥲