It is always amazing to me when company's like T. Rowe Price manage to postpone or delay updating their programs until the last minute. It only takes a small amount of planning and budgeting to keep systems current. Security of the system, the information and the assets are depending on keeping the programs updated and it should be a part of every company's process and plan to ensure that they keep updated on their system. While I do agree with you that transferring the risk may seem like the best option, I wonder if it is a viable one. For example, feasibility would have to come into question... if the organization is even a mid-sized company, it may take a very long time to actually migrate all devices to a new operating system. I've seen this many times before and it has failed due to many issues including costs, dependency issues, architectural misconfigurations, etc. In the given scenario, two weeks may not be enough time... however a level of ambiguity does exist with the information given, which is why I personally rejected the risk and asked for more information first.