I only wonder because, while I know no one could advise per se that people deliberately make bad security decisions, I don’t feel as a layman that the nature of the risk is adequately explained.

Specifically, if you use a really old OS or an old now unsupported phone. The explanations for why this is dangerous tend to focus on the mechanism by which it creates a security flaw (lack of patches, known hardware security flaws that can never be patched).

If we use an analogy of physical security whereby the goal is to prevent physical intrusion by thieves or various malicious actors, there’s a gradient of risk that’s going to depend a bit on things like who and where you are. If you live in a remote cabin in the woods and left your door open, that’s bad, but probably less bad than in a high crime area in a dense city. Similarly, if you’re a person of note or your house conspicuously demonstrates wealth, security would be more important than if it you’re not and it doesn’t.

I would think, where human beings are making conscious choices about targets for cybercrime some parralells would exist. If then, you turn on an old device that’s long obsolete for the first time in years and connect to the internet with it, while I know you are theoretically at great risk because your doors and windows are essentially wide open, how risky is that exactly? If you just connect, at home on your wifi and don’t do anything? Is someone inevitably going to immediately find and connect to this device and exploit it’s vulnerabilities? Or does there have to be a degree of bad luck involved?

I’ve brought up the idea of malicious actors who are human beings making conscious decisions, (hackers), but I was once told the concern is more to do with automated means of finding such devices when they’re exposed to the internet. This makes more sense since a theoretical hacker doesn’t have to sit around all day just hoping someone in the world will use an outdated device and that they’ll somehow see this activity and be able to exploit the situation, but I guess, it seems hard for me to imagine that such bots or automated means of scanning, even if running all day will somehow become aware the minute anyone, anywhere with an insecure device connects to the internet. Surely there has to be some degree coincidental happenstance where a bot is directed to scan for connections to a particular server, like a fake website posing as a bank or something? It just doesn’t seem it could be practical otherwise.

If I’m at all accurate in my assumptions, it sounds then like there’s a degree to which a random person, not well known enough to be a specific target, not running a website or online presence connecting an insecure device to the internet, while engaging in some risk for sure, isn’t immediately going to suffer consequences without some sort of inciting incident. Like falling for a phishing scam, or a person specifically aware of them with mal intent trying to target them in particular. Is that right?