An area of audit/3rd party recommendations if often un-patched and unsupported software, i.e. missing patches on the server 2003 OS, or SQL Server, or Oracle etc, or a version of software that the vendor is no longer patching.
I have never seen an audit recommendation on hardware support however. Does unsupported hardware pose a risk as well? How can unsupported hardware pose a risk, and what kind of “support” is often given to hardware, i.e. any form of patches for security, or does it focus elsewhere, how long does say a modern server typically stay under vendor support, and what kind of issue/risk does a company run operating unsupported hardware such as servers/workstations? What is the likelihood of such risks ever coming to the fore?