for whatever reason the boss doesn't want to upgrade to a modern frame work

Come on, let's be honest here. The reason is money. Someone who isn't interested in investing in new, stable technology when the old technology is recommended against, won't be interested in investing much in good security practices either.

That mentality changes quickly when the company is hacked or taken for ransom. At that point though, everyone is scrambling to patch things in an uncontrolled manner, and far more money is spent recklessly than if the original investment in better practices had been made. I have seen this time and time again in my 20+ years in the industry.

PS. From the CGI documentation itself:

"CGI.pm is no longer considered good practice for developing web applications, including quick prototyping and small web scripts. There are far better, cleaner, quicker, easier, safer, more scalable, more extensible, more modern alternatives available at this point in time."