I do understand the complexities
But cannot believe it's as hard as it's made out (i.e. impossible).
Does the machine need to be connected to the internet? What does it actually need to connect to? What are the programs blocking? Can they be replaced, run server-side etc.
e.g. That computer running bespoke MRI software that refuses to leave Windows 95. It needs to connect to the MRI, it needs to be able to get software updates installed (but just locally and only with admin access) and it needs a one-way path to get images out onto something that can be secured.
Backups. Assuming machines can't be upgraded/secured and important stuff really is stored locally - why isn't this stuff backed up? You hit a problem, you roll back.
Then looking forward, what rules can be put in place to prevent future debt building?