What enterprises in banking, insurance, and healthcare are actually paying to keep legacy alive, and what one more year of waiting really costs.
Most enterprises underestimate what it costs to stand still. Between IBM’s 2025 average breach cost ($4.44M global, $10.22M in the United States), McKinsey’s research showing tech debt at 20 to 40 percent of the technology estate’s value, and our own modernization engagements, the run-rate cost of an unmodernized critical application is roughly two to three times the maintenance line item finance teams track. This article shows where the hidden cost lives, why finance models miss it, and how to translate the number into a business case a CFO will fund.
The Short Version
For a typical mid-market enterprise, the true annual cost of keeping a single critical legacy application alive is roughly two to three times the maintenance line item on the IT budget. The gap comes from four buckets finance teams rarely aggregate: shadow integration work, security and audit drag, customer experience erosion, and the wage premium for scarce legacy skills.
The decision in front of most technology leaders in 2026 is not whether to modernize. It is whether the business can absorb one more year of waiting. In most cases, the answer is no.
The Public Benchmarks Worth Anchoring On
Before any per-app estimate, set the room with numbers your CFO can verify independently.
- IBM’s Cost of a Data Breach 2025 reports a global average of $4.44 million per breach, with the United States average at $10.22 million, an all-time high. Healthcare remains the costliest sector at $7.42 million per breach for the 14th year running.
- McKinsey estimates technical debt accounts for 20 to 40 percent of the entire technology estate’s value, with 10 to 20 percent of every new initiative’s budget redirected to resolving issues caused by older code.
- Accenture’s 2024 tech debt research finds that high performers spend roughly 15 percent of IT budget servicing debt while laggards spend 40 percent or more, and that the gap correlates directly with revenue growth.
- Deloitte banking benchmarks summarized in 2024 found financial institutions underestimate legacy total cost of ownership by 70 to 80 percent on first count.
Why This Matters More in 2026
Three forces have stacked on top of the standard legacy cost picture in the last 18 months, and they are not slowing down.
First, the SEC cybersecurity disclosure rule (Item 1.05 of Form 8-K, in force since December 2023) has made every legacy app with internet exposure a board-level reporting risk. A breach that would have been an internal headache two years ago is now a four-business-day public filing.
Second, the cost of skilled legacy talent has compounded. The 2025 Dice Tech Salary Report and Stack Overflow Developer Survey both show specialist mainframe, COBOL, and classic .NET wages outpacing modern-stack averages, while open-role time-to-fill has stretched into multiple quarters.
Third, GenAI has reset the floor on what ‘modernized’ looks like. Competitors shipping AI features into customer journeys are widening the customer-experience gap measurably faster than they were in 2023. Standing still in 2026 is not standing still on the same ground.
Where the Money Actually Goes
When a CFO asks what an old system costs, the typical answer is licenses, hosting, and the two engineers who still know the platform. That number is honest, but incomplete. Here is the breakdown we use in modernization reviews.
Cost bucket: Direct maintenance (licenses, hosting, ops staff) | Typical share of all-in cost: 35 to 40% | Tracked by finance?: Yes
Cost bucket: Shadow integration and middleware patching | Typical share of all-in cost: 25 to 35% | Tracked by finance?: No
Cost bucket: Security, audit, and compliance drag | Typical share of all-in cost: 15 to 25% | Tracked by finance?: Partly
Cost bucket: Customer experience erosion (churn and support load) | Typical share of all-in cost: 10 to 20% | Tracked by finance?: No
Cost bucket: Wage premium for legacy skills | Typical share of all-in cost: 10 to 20% | Tracked by finance?: No
The Four Hidden Buckets
- Shadow integration work. Every downstream team that needs data from the legacy system builds its own ETL job, scraper, or middleware. Multiply by six to twelve consumers and you have a second engineering organization whose only job is keeping the old system reachable.
- Security and audit drag. SOC 2 Type II, HIPAA, PCI DSS 4.0, and the SEC cybersecurity disclosure rule (Item 1.05 of Form 8-K, in force since December 2023) all hit legacy harder. Vendors charge more for legacy coverage, audits run longer, and exceptions usually need compensating controls.
- Customer experience erosion. Slow page loads, broken mobile flows, password resets that take two business days. In customer-facing systems we typically see a one to two point NPS drop and a measurable rise in support ticket volume attributable to the legacy front end.
- Wage premium for legacy skills. Senior COBOL, PowerBuilder, and classic ASP.NET engineers cost roughly 1.5 to 1.8 times a comparable modern-stack engineer, and time-to-hire commonly stretches three to four times longer.
The 12-Month Wait Tax
The harder question is what it costs to delay by one fiscal year. In engagements where an approved modernization slipped a year, the same pattern repeated: unplanned incident remediation, emergency staff augmentation, fresh audit findings, and (using IBM’s benchmark above) the rising probability of a material security event.
On average, that one-year delay added enough unplanned spend the following year to exceed what the modernization itself would have cost. Doing nothing is rarely the cheap option. It is usually the most expensive one, paid in installments.
Why the wait tax matters: The wait tax is a number a CFO can verify against last year’s unplanned spend. That is what consistently moves a modernization decision from someday to this fiscal year, more than any argument about future agility.
How This Played Out for a Financial Services Client
A financial firm we worked with was running analytics on aging on-premises infrastructure with rising license and audit costs and a brittle path to modern data products. We replatformed onto Azure Data Lake and Synapse, applied least-privilege identity, and rewired reporting. The recurring run cost dropped, audit evidence collection moved from quarterly fire drill to continuous, and the analytics team shipped two new revenue products in the first year on the new platform. The full write-up is linked below.
Common Mistakes in the Cost Conversation
Even with the right benchmarks, the business case usually goes sideways for one of five reasons. We see the same pattern across banking, insurance, and healthcare engagements.
- Only counting the line items finance already tracks. Licenses, hosting, and named engineers are roughly 35 to 40 percent of the real cost. Stop the analysis there and you understate the case by 60 percent.
- Comparing modernization cost to today’s run cost instead of the wait tax. The honest comparison is one year of modernization versus the next year of unplanned legacy spend plus rising breach probability.
- Treating customer experience erosion as anecdotal. It is measurable. Pull NPS, support ticket volume on the legacy front end, and abandonment rates. Numbers move the room.
- Forgetting the wage premium for legacy skills. A senior mainframe or PowerBuilder engineer in 2026 is not a like-for-like cost replacement when they retire. Model the replacement, not the incumbent.
- Underweighting the audit and compliance drag. SOC 2 Type II evidence collection on a legacy stack is roughly two to three times the effort of a modernized one. That cost shows up in audit invoices and lost engineering hours, not in the IT budget.
Frequently Asked Questions
Is this an average for all apps, or just critical ones?
Critical apps only. These are systems of record or revenue-touching workloads. Non-critical legacy applications cost a fraction of this and rarely justify a full modernization business case on their own.
Does this include the cost of migration itself?
No. This is the cost of not migrating. The modernization itself is a separate capital expense, typically in the range of one to one and a half years of the all-in run cost above, depending on the path chosen.
How does this compare to Gartner or McKinsey benchmarks?
Gartner’s IT Key Metrics data estimates legacy maintenance at 60 to 80 percent of the total IT budget industry-wide. McKinsey scopes technical debt at 20 to 40 percent of the technology estate’s value. Both are useful for board framing but too coarse for a per-app business case. The per-app view here is meant to complement, not replace, those industry benchmarks.
How long does the per-app cost model take to build?
Roughly two weeks for the first three applications, mostly driven by data gathering across finance, security, SRE, and the app owner. After the first three, the same model takes one to two days per additional app because the data sources and definitions are already in place.
Does this work for industries outside banking, insurance, and healthcare?
Yes. The five-bucket breakdown holds across manufacturing, energy, retail, and the public sector. The weighting shifts (compliance burden is heavier in regulated industries, customer experience erosion is heavier in retail) but the buckets and the wait-tax logic are stable across sectors.
References
- IBM Cost of a Data Breach Report 2025 — https://www.ibm.com/reports/data-breach
- McKinsey: Breaking technical debt’s vicious cycle — https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/breaking-technical-debts-vicious-cycle-to-modernize-your-business
- Accenture: Build your tech and balance your debt (2024) — https://www.accenture.com/content/dam/accenture/final/accenture-com/document-3/Accenture-Build-Your-Tech-and-Manage-Your-Debt-2024.pdf
- SEC Cybersecurity Disclosure Rule (2023) — https://www.sec.gov/newsroom/press-releases/2023-139