Depends on your risk surface. If the program in question that doesn't get any updates is isolated from the network completely. air gapped. Then it's probably fine. It's working.
The trouble is the internet is constantly evolving, and so as soon as an exploit is discovered it's added to a bunch of exploit scanners which look for things online that they can exploit. So if you have a piece of software that's not getting updates, and it's attached to the network. You could get in trouble.
And not just the software itself, any libraries it used, any build environment objects that pulled in. All of those are part of the ecosystem. So while the code itself may not have somebody looking at it for an exploit, it could use a standard library which now has an exploit which is in metasploit with somebody's just scanning the internet to find your little phone.