The lack of expertise in old tech is in itself a security risk. If a system needs maintenance and you have to spend extra time finding the person to do the job, that is the time you are exposing your system's vulnerabilities. And I don't need to mention to you the number of times banks and credit agencies have been hacked over the years. And to your point about software being vulnerable instead of hardware, old hardware usually runs old software, because newer software often have system requirements that demand newer hardware. So in short, again, your statement of "aged hardware <> insecure" may be true in the rawest sense, but in all practical purposes everybody knows that's not true.
But if you get NEW hardware to run old software, that's different. My company is in such a position. Our mission-critical software was written for an ancient OS called PICK system from the 80s, with no modern security whatsoever. But IBM made a Windows software called "Universe" that happens to support PICK system. So we bought a modern Windows server PC with all the modern security, run "Universe" on it, and it in turns runs the ancient software that we use to this day. Our software, which had no security, now requires Windows authentication to run. We are happy to not only be able to continue using the software, but also have better security as well.