Friday security musing: If it is still in production* then it can't be called legacy software.

SaaS - meaning the product is still accessible by customers
or
On-prem - meaning the product being installed by new customers or used by >50% of your user base