It’s technical debt, is what it is. The more it grows, the more expensive it gets to get rid of. Once it’s insurmountable, you become a sitting duck for an attack as you’ve described.
I don’t know that any (current changes to) management can adequately address the scope of the issue. It will require funding. I can’t imagine some cases of this being fixable without literally doubling the workforce, or outright shutting down until a modernized system is up and running. I’ve worked some places. Ive seen some concerning shit.
I feel like every tech company needs their CTO to be pulling their C-weight. Every tech lead should be yanking on their CTOs balls/ovaries to spend the money or face the consequences. I feel like every CTO would sooner just jump ship and pull the golden ripcord instead.