A client wishes to update their legacy system even though there have been no security breaches since its implementation five years ago. If the client has not suffered any attacks, why is it still necessary to update their system?