I have yet to work at a place that didn’t have systems running mission-critical shell scripts with little to no SDLC on boxes that got periodic “yum update -y”s. There seems to be a difference in oversight of software we write & “the operating system”.

Should we do better? Absolutely! Will this burn people if vendors don’t take care? Also absolutely!