There's a mental model most business owners carry into software, inherited from every other thing they've ever bought: you pay, you receive, you own, it works. A generator. A delivery van. A shop fitting. Maintenance means fixing it when it breaks.
Software wears the costume of that kind of purchase, one-time build, delivered, done. And the costume is a lie that costs businesses dearly, because software belongs to a different category of thing entirely:
Software is not a machine you bought. It's an organism living in an environment, and the environment never stops moving.
Understand that one sentence and every maintenance conversation you'll ever have becomes obvious. So let's earn it properly.
Why software "rots" while sitting perfectly still
Here's the puzzle that breaks the machine model: your app can decay without anyone touching it. Not one line of code changes, and two years later it's slow, broken in places, or breached. How?
Because your code was never alone. It stands on a tower of moving parts:
The foundations shift monthly. Your app is built atop frameworks, libraries, databases, and services, dozens of pieces of other people's software, all being updated constantly by their makers. Each update fixes holes and changes behavior; your unmoved code slowly stops matching the world it stands on. This is what developers mean by "dependencies aging", the floor moves whether or not the furniture does.
The neighborhood changes. Browsers update, phones update, WhatsApp and payment providers change their rules and interfaces. The integration that worked flawlessly at launch breaks the day the other side changes, and the other side never asks permission.
The attackers never stop scanning. This is the sharpest edge. Every week, new vulnerabilities are discovered in the common software everyone builds on, published openly, so defenders can patch. But the same publication is a shopping list for attackers, who run automated scans across the whole internet hunting for systems that didn't patch. Nobody targets your business specifically; the robots target everyone, and unmaintained software is simply the door left open. If this sounds theoretical, it has a famous receipt: the Equifax breach, one of history's largest, traced to a single unapplied patch for a vulnerability whose fix had been available for months. The patch existed. Nobody fed the organism. A hundred and forty-plus million people paid for it.
Your own success strains it. More customers, more data, more orders, the app that flew with 200 records wheezes at 50,000. Growth is a load-bearing change, and nobody budgets for the ceiling until they're pressed against it.
What neglect actually costs (the invoice arrives late but whole)
The cruelty of skipped maintenance is its silence, for a while. No monthly bill, everything seemingly fine. Then the deferred invoice arrives, in one of its standard formats:
- The dead integration at the worst moment, payments failing during your busiest week, because a provider's change met your unupdated code
- The breach, customer data leaked through a hole patched everywhere except your server, with your name on the apology
- The archaeology bill, the system so far behind that no developer can safely update it; years of skipped small payments due at once, plus the rebuild premium, plus the the disappearing developer scenario if custody was never sorted
- The quiet rot, slower pages, small breakages, customers drifting to competitors, and nobody connecting the revenue dip to the maintenance line that was deleted from the budget three years ago
Every one of these is the same purchase: maintenance, bought retroactively, at crisis pricing. The monthly cost didn't disappear when it was skipped. It compounded.
What "feeding" a system actually involves
Demystified, ongoing care is unglamorous and rhythmic, which is exactly the point:
- Updates applied on schedule, dependencies, frameworks, platforms kept current in small, safe steps rather than terrifying leaps
- Security patches within days, not quarters, because the scanning robots work weekends
- Backups that are tested, an untested backup is a hope, not a plan; restoration drills are the difference
- Monitoring that notices before customers do, downtime, slowness, and failures flagged to someone whose job is looking
- Small fixes while they're small, the bug that takes an hour this month and a week next year
- A human who knows your system, so that when something does break, the response starts from knowledge, not archaeology
None of this is exotic. It's the software equivalent of servicing the van, except the van's roads repave themselves monthly and thieves test every door on the street nightly, forever.
The reframe that settles the budget conversation
Stop budgeting software as a purchase with an optional service add-on. Budget it as what it is: a living asset with running costs, like premises, like staff, like the van. The build price is the birth; the maintenance line is the life. A rough, honest industry rule of thumb puts annual care at a meaningful fraction of build cost, and every year it's paid, it's the cheapest insurance in your entire operation. The year it's skipped, the discount is a loan.
This is, transparently, why care plans exist as a service and why we raise maintenance in the first conversation of every build rather than the last: not as an upsell, but because we've seen the deferred invoice too many times, and it's never addressed to us. It's addressed to the business that was told their software was finished.
Nothing alive is finished. Feed the organism. It's cheaper than the funeral.