It should be noted that AWS and other Cloud providers let you set up Security Groups containing specific IP addresses or ranges (i.e. just whitelist your static IP for SSH/RDS access).
It isn't as secure as a VPN (and not as convenient), but definitely a stop-gap if you don't want to pay for Client VPN.
Some of it is new software. South Korean love of ActiveX for example, a technology dead for at least 10 years. Still getting new stuff written.
On the contrary, most critical software is plenty new - things like MS Office. Still bound to Windows.
The remaining systems rely on truly custom software and should be either airgapped (so no RDP) or rewritten. I'm thinking industrial - they should've planned for this many years beforehand.
There were instances back when Windows XP was the main driver.
