It's depends. One can setup a web server with BSD/Linux and nginx - it would be cheap to create and maintain and very hard/expensive to attack.
Balance is different when you have and a company with understaffed IT and all which usually goes along with this: software which is not updated for months if not years despite known vulnerabilities in it, legacy systems which are kept "just in case" because no-one knows what will be broken if they will be decommissioned, poorly managed credentials to external systems, and so on.
Balance is different when you have and a company with understaffed IT and all which usually goes along with this: software which is not updated for months if not years despite known vulnerabilities in it, legacy systems which are kept "just in case" because no-one knows what will be broken if they will be decommissioned, poorly managed credentials to external systems, and so on.