Does your old hardware support modern encryption technologies and is it able to be patched to mitigate zero-day vulnerabilities with the click of a button? When security isn't factored into the design and building phase of the application, vulnerabilities may be released to the public to be exploited when they could have been remediated much earlier in the process.
Here are a few questions to ask your vendor on secure development:
Are your engineers provided with secure development training upon hire and at least annually thereafter?
Is security built into the software development life cycle (SDLC), including during design, development, and release?
Are all of your releases scanned for vulnerabilities including in your code and in your referenced libraries?