I remember reading somewhere that NASA and the US military use all old hardware and software, same reason so many big companies are reluctant to change their IT infrastructure - because "old" means patched, secure, all vulnerabilities are known and if an issue does arise it's most likely been well documented on how to fix it. BTW your link doesn't have a valid SSL certificate.

The power industry tends to struggle with updating old devices and operating systems. 1. New software is released far more frequently than most devices can reasonably be replaced or updated. In many cases, big equipment and specialty systems are purchased on 30 year warranties for millions of dollars. Upgrades and replacements almost always require an outage (which may also have to be approved by a regulatory body) as well as updated settings and extensive functional testing. 2. Manufacturer focus is still more on function than security It's gotten better but this is still the norm, especially when the company is based outside the US. There have been cases where a vendor refused to release a security bulletin/vulnerability notification or patch for even serious issues (passwords being sent unencrypted or displaying in plain text for example). When asked about how customers will be notified of patches and any other security issues, one vendor reassured us that "There will be no more vulnerabilities." 3. We use many highly specialized devices that are harder to update without negatively affecting the system. Sometimes the manufacturer decides not to make the device compatible with updated software at all. You end up with some super special gizmo that limits everything else because it can only be supported with software for Windows XP. This is even worse if you have to hire a 3rd party to integrate/manage the system. Sure, they will upgrade you. But it will be another 20 million dollars on top of a 30 million dollar contract. In many cases, this is prohibitively expensive and cannot simply be repeated each time a new operating system is released. 4. Patching compliance rules inadvertently make firmware-based devices (which have far fewer patches and updates than operating-system based devices) and devices from vendors who aren't looking for vulnerabilities more appealing. The patching compliance requirements are probably the most expensive part of the CIP (Critical Infrastructure Protection) requirements. Sometimes utilities are pushed to make a choice between choosing a product from a responsible vendor that makes regular updates (which increase the chances of incurring a potential violation by not meeting all the requirements for each update/patch released) or one from a vendor that rarely releases updates. Although the responsible vendor is the better choice for security, the risk of incurring huge fines (up to $1,000,000 per day, per violation) is huge. I think this is part of the reason that you can find even highly complex things like static VAR compensator systems purchased for millions of dollars but running MS DOS.

Because they're cool. [Here's a video by a man who repairs and gets these old machines working again](https://www.youtube.com/watch?v=XLqY4MjlwVk&list=TLGGrKp1nkG7vn8yNTAzMjAyMQ). It's a lot of fun to watch.