This is pretty-much what I do for a living: mitigate risk of this happening to organisations by protecting data. You’d be astonished at how many organisations don’t have people devoted to this sort of work. I walked into a company a few years ago that still had a Windows 2000 file server. Sometimes, there are valid reasons why a server can’t be upgraded (usually, it’s running super niche hardware or software that doesn’t work with new operating systems) for some reason. But a file server?! That doesn’t even need to be a server. That can just be a NAS.

One of my Melbourne customers was a prestige car dealer who had a computer in the workshop running Windows 98. It spoke to the car computers and the software hadn’t been updated in over a decade. It required Windows 98. That PC was given my all-clear only after I physically removed its network card. Also, staff were told they weren’t allowed to plug USB drives into it (I couldn’t disable USB because they needed to plug it into cars).

That said, reporting is important. It leads to conversations with IT teams like: “What’s to stop this happening to us?”
“Nothing. In fact, it’s recorded on our risk register as being a possibility.”
“Who signed off on this risk?!”
“You did. Here. And Here. And Here. And every year we keep coming at you for new hardware and you keep denying it.”
“Your new hardware is approved.”

I think it is more important that we are informed than the companies are fined. Besides, the reputation loss is a bigger disincentive than a mere fine would be. Plus: They often get slapped by legal action from their customers.