It’s a huge source of vulnerabilities also. I bet 90% of all embedded Linux products are running whichever LTS snapshot the vendor froze on, plus vendor/their patches. Don’t bother looking at the CVE list, you can’t upgrade anyway.