If your latest C compiler cannot compile your old sources, the old binaries still work

That's not always true, especially if they use dynamic linking. Sometimes it's not even true with static linking. (Try to run an old proprietary Linux game from before 2000 on a recent system, for example.)

No, managers do not always see security as "business value", either. There was one system, written in an old PHP4 framework, that kept getting cracked and various bots installed. Management preferred to routinely clean the intrusions off of the server instead of replacing the system with something reasonably secure. Yes, that is insane. No, that was not my call. I no longer work there.

I've seen that too, but you're reading into sundial's comment something he never said. He explicitly argued that there was no business value to moving from PHP 5 to PHP 7 and tried to convince people of that.

That's not an argument I expect to hear from a developer of his purported experience. Running a public-facing project with a dependency that's out of support from its maintainers as well as long-term support from its distribution is ignorant and best and, more likely, malicious malfeasance.

That's why I respond. I am 100% in favor of asking "What's the business value of this technical change?", but anyone who claims to be a senior developer but snidely brushes away the idea of security updates as an annoyance and hindrance is doing something very wrong.