Apple has a de facto policy about operating system updates on the Mac: security issues get patched for the current and two previous major macOS releases. In other words, the latest major version of macOS (n) as well as last year's release (n-1) and the two-year-old release (n-2) ostensibly get the same security updates. This can be convenient because, in theory, it means that users can stay on an older macOS version for a couple years, for example if their favorite software isn't supported yet on the latest OS, or if the current macOS release won't run on their old Mac hardware.
But is it really true that, by virtue of still getting security updates, older versions of macOS are just as safe as the latest version? Few Mac users and admins are aware that Apple doesn't necessarily patch every security vulnerability in the two previous macOS versions. In this presentation we will seek to quantify, to the degree possible, exactly how safe or unsafe it is to stay on older versions of macOS, and whether or not you should upgrade quickly to each major new release. In our comprehensive analysis, we'll not only compare CVEs addressed-or not addressed-for proprietary and FLOSS components of each macOS version, but we'll also share insights from Mac vulnerability researchers, and with any luck, we'll see if we can learn anything from Apple itself on the subject.