No doubt about it Barney, Gartner is full of themselves.
If your operating system is still being supported/patched by your vendor and your AV software is up-to-date, you are not any more vulnerable to malware than anyone else. System efficiency and user productivity is another matter. Here is the point:
As a matter of principle, it is important for every enterprise to maintain an IT budget with strict hardware and software lifecycles. (With IT, three-year lifecycles are optimum. Bean counters and tax types prefer five-year lifecycles. IT can usually live with that. However, after five years, hardware starts to become unreliable and the technology has left you in the dust. Trying to add updated software to five-year-old hardware may be penny-wise but it is certainly pound-foolish. Hardware should be purchased with cradle-to-grave warranty coverage. Three-year warranty coverage is usually a good investment. Years four and five tend to be more expensive, but if your mission-critical hardware fails, you will be glad you bought it.
At the end of each lifecycle, the chosen hardware and software should be re-evaluated, along with alternatives. Once a selection is made, all software should be maintained at the current version level. Updates should be applied as they are announced (after they have been tested in your environment). Version updates of software in the middle of a lifecycle need to be evaluated carefully before proceeding as mission-critical software can be sensitive to changes in the other software which you support.
The thing is we have gotten much better at building security and resiliency into our applications. Newer applications take advantage of the advances in processing power, storage capabilities and systems management improvements much more so than something written / published 5 - 10 - 15 years ago. Further, over time an organization's brand new application has accumulated a number of dents, had countless rolls of duct tape employed to keep things together and been repaired with mismatched nuts and bolts. I would venture that the amount of extra effort going into maintaining obsolete systems outweighs the cost to get systems current. Further, the hardware/software vendors would probably cry foul if everyone stopped needing to pay through the nose for extended support agreements.
IT Debt seems really to be referring to entropy and the tendency to disorder. That's just life. Things lose their luster. However, like an old pair of blue jeans, sometimes things are just as good with a little wear!