If he has processes that have been up since 2015 how is he patching? That's one of my biggest gripes with on-prem, it's easy to leave something that works alone... until it gets popped by a 5 year old vuln.

In cloud I'm constantly looking at what we have because I have good billing tools in place to see what we're paying for.