TYPO3 GmbH offers an alternative to a TYPO3 update. Here, you can obtain newer, updated TYPO3 versions, known as ELTS versions (=“Extended Long Term Support”), even after the official end of support. Currently (as of November 2024), versions 9 (still), 10, and 11 are available there. Updates are provided for each version for six years, including the free versions on typo3.org. So actually only three additional years. Updates for the recently expired version 11 will be available until October 2028.
Prices for the respective ELTS version used to be listed on the TYPO3 GmbH website. These can no longer be found. On another site, I read something about €2,200–2,800/year, but I also remember seeing much higher prices. Perhaps these were for the entire three years.
This means that a TYPO3 update can be postponed for quite some time, but it can be quite expensive. Furthermore, this only applies to the TYPO3 core. Extensions are excluded from this, or the costs for these updates may be added if the extension developer offers them at all.
TYPO3 extensions can also make a TYPO3 system vulnerable, and sometimes this is precisely the case. Most developers may adhere to the development guidelines specified by the TYPO3 Association. But can you vouch for every extension in your system? None of my customers actually look at the code.