There’s a pattern that repeats itself across organisations of every size: new technology gets implemented successfully, then the assumption is that it’s sorted for the next five years. The system is running, the migration is done, the CRM is deployed. Move on.
Technology doesn’t work that way. What performs well today becomes a liability in three years if nobody is paying attention.
What ‘set and forget’ actually looks like
A client bought a comprehensive membership management system in 2014. It was the right choice at the time – 2,550 members, complex subscriptions, event bookings, document libraries. They implemented it, customised it extensively, then stopped maintaining it.
By 2018, the system was 14 versions behind current release. Dozens of extensions were outdated, including two with known security vulnerabilities on public exploit lists. The live website had accumulated unused plugins and broken customisations.
In June 2018, the site was compromised. Entirely preventable, and the subsequent rebuild cost significantly more than four years of regular maintenance would have. Classic outcome.
Why this keeps happening
Technology purchases feel like capital investments. You buy a server, you own it. You implement a system, it’s done. That mental model made sense for physical infrastructure but it doesn’t apply to software.
The threat landscape changes continuously. Security vulnerabilities get discovered, patches get released and exploit scripts become available within 24 hours. Four years behind on updates means running a compromised system whether you know it yet or not.
Businesses change too. The workflows that made sense in 2020 don’t necessarily fit how an organisation operates in 2025. Technology that doesn’t evolve with the business becomes an obstacle rather than an enabler.
Integration complexity grows over time. New tools get added, old ones get retired, APIs change. What integrated smoothly three years ago may now be held together with workarounds and manual processes.
Technical debt accumulates quietly. Every undocumented customisation, every shortcut, every “we’ll fix that later” compounds. Eventually the cost of maintaining the mess exceeds the cost of replacement.
What sustainable looks like
You don’t need constant expensive upgrades. You need regular, modest attention.
- Check security updates quarterly at minimum and apply them. This isn’t optional maintenance – it’s basic risk management.
- Review whether your systems still match how the organisation actually works. Not annually – every two to three years is sufficient for most organisations. Just don’t assume 2020’s solution still fits in 2025.
- Document customisations properly so future updates don’t break everything. The client above required an estimated 50+ hours quarterly for updates because customisations weren’t implemented using proper overrides. A correctly built system reduces that to hours, not days.
- Plan for refresh cycles. Most technology has a realistic useful life of three to five years. Budget accordingly rather than being surprised when emergency replacement becomes necessary.
The actual cost comparison
Regular maintenance feels like unnecessary spending when systems are working fine. But the comparison is straightforward.
The set-and-forget approach: zero ongoing costs for four years, then a complete rebuild at significantly higher cost, plus business disruption during migration and potential security incident costs on top.
The sustainable approach: modest quarterly maintenance, planned upgrades every two to three years, systems that keep working without crisis intervention.
The sustainable approach costs less over time. The spending is just distributed differently, which makes it less visible until the alternative presents itself as an emergency.
In my experience managing IT infrastructure across organisations ranging from small associations to major institutions, the ones that treat technology as ongoing operational management rather than a one-time capital investment consistently get better outcomes at lower total cost.
