The NCSC’s observations are probably true, based on my view from the energy sector.
However, NCSC don’t get to decide on funding activity. Staying evergreen means replacing huge numbers of complex systems repeatedly. There is not enough system access to go around the work that needs doing, to say nothing of qualified personnel.
Regulated businesses tend not to be able to pay open chequebook rates for staff, so training new is a losing game for they will simply leave the moment they become useful to the market.
An intelligent question to ask is how much work is planned, and how much is being delivered. Not even remotely in the same ballpark let alone page.
I quite seriously believe a non digital solution involving staff permanently on site like we had in the 60s and 70s is more cost effective than the unhealthy obsession with digitisation.
Biting the hand that feeds IT
