Sometimes there may be a valid reason not to renew. The decision not to do so is a high-level risk decision that should be considered in the broader context of the organization's risk management policies and practices.
You may find more problems than the resources available to you to resolve them. The decision not to solve the problem is fundamentally a high-level business risk decision, not an IT problem, and every organization has its own risk appetite. There are a number of reasonable factors to consider here, including cost, resources, complexity, and other operational risks. The goal should still be to update by default and minimize the need to make decisions on a case-by-case basis. An organization's risk management structure and employees need to understand the risks that the organization currently chooses to tolerate.
Risk-based prioritization depends on your organization's risk assessment and reference to CISA's catalog of known exploited vulnerabilities or threat intelligence feeds. You should not make decisions based solely on a single severity score (e.g., CVSS). Potential impact on the system or service – for example, do you have an effective backup as well as sufficient system knowledge to recover it? The system, the service, or your organization's reputation can be damaged. Direct costs, such as replacing outdated systems. Availability and cost of short-term fixes. The availability and cost of skilled resources needed to carry out the work. The cost of incident response and recovery, including any penalties imposed in the worst-case scenario. Once you've made a decision, document the reasons behind it and make sure to consider any remaining risks in your organization's overall risk management framework. This could be a risk register where you can group all the same risks, such as "High: Unpatched externally exposed vulnerabilities allow initial compromise". Importantly, the risk is borne by the business, not the security team, and is visible to senior leadership.