When I speak to security architects, the common thing they are worried about is the continuing role of legacy operating systems increasing risk in the data center. I am seeing a large Number of workloads running older versions of UNIX, Windows Server 2008 and now Windows 7 desktop. While there are still security updates for Windows 2008 R2 and Windows 7, that will come to an end in January. If a company refuses to pay the cost of security updates then that will lead to the creation of new attack surface.
The alternative is to isolate the legacy systems as much as possible. We all know that the desktop as compared to the server is more of a target to the adversary as they will leverage the user's potential lack of security experience. That being said once administrative access to the desktop environment is accessed remotely, the lateral dwelling will start. By limiting the connectivity of the desktop environment, the attack surface will be limited as well.
I recently worked with an insurance firm who has onshore and offshore developers that leverage Windows VDI to do their work. We have segmented based on their Active Directory group membership their connectivity to just the development environment (plus a few other resources necessary to do their coding). In my experience 3rd parties have less of a concern about the overall security of their desktop environments and also lack the usual security awareness training that internal employees receive.
No extended support means no more fixes and patches unless your organisation is willing to pay for them, and staying secure is one clear reason to upgrade: nearly nine out of ten businesses surveyed said that security was a key factor.