If there are legacy systems that would be too expensive to tear down and modernise, then some form of regulatory fine should be implemented to stop this. There is no excuse for running IE anywhere these days, especially now after this news which puts the final nail in the coffin.
It’s a liability. The problem with security measures is that there is no immediate reward, but a few years down the line and you get ransomware’d you would want to have replaced legacy systems with modernised software and hardware. You need to weigh the cost of modernisation versus getting embarrassingly pwned.
A fine is a bad idea since companies should be able to take risk freely as long as this risk isn't socialized. I don't get fined for leaving my door unlocked, because it is my prerogative whether I take that risk. If risky behaviour affects others, then fines would be appropriate (e.g. managing customer data)
