That's my real concern: old, out of date images. How will we handle another OpenSSL-level vulnerability in 7 years, with bad code buried in containers that haven't been updated in 4, and for which the build infrastructure is no longer functional?
This really isn't that different from having some pre-built statically liked app still kicking on your system with the source and/or build tooling long gone.
There aren't really easy answers here. You can't fix bad software with more tooling.
