Software rots even when you don't touch it — the maintenance question nobody asks before they build
A custom system is not a thing you buy once; it is a thing you keep. The build is the down payment. What decides whether you got value is the decade of maintenance nobody priced into the kickoff meeting.
The pitch for custom software almost always ends at launch. You sign off, the system goes live, everyone celebrates, and the invoice closes. Then a quiet assumption settles in on both sides of the table: the thing is done. It works today, so it will work next year. That assumption is the single most expensive misunderstanding in this business — because software is the one asset that decays while sitting perfectly still.
Nothing in your code changes, but everything around it does. A browser ships an update. A payment provider deprecates an interface. A phone operating system drops support for an old component. A tax rule changes. A dependency you have never heard of publishes a security advisory at two in the morning. None of that touched your business logic — and all of it can break your system, or quietly open a hole in it. A system is not a building you finish and hand over the keys to. It is a garden, and gardens grow whether or not anyone is tending them.
This piece is about the half of the cost that lives after launch: what maintenance actually is (mostly not bug-fixing), why every living system needs it, what neglecting it costs in security and slow decay, and how to decide who owns that responsibility before you commission the build — rather than the morning something goes down and nobody can say whose job it was to stop it.
The number that surprises every first-time buyer: across a system's life, the original build is the smaller part of the bill. The discipline has converged for decades on a simple rule of thumb — maintenance runs 60 to 80 percent of total lifecycle cost, captured in the well-worn "60/60 rule": about 60 percent of what a system costs over its life is maintenance, and about 60 percent of that maintenance is enhancement, not repair [1]. Read that twice. The build you are negotiating is the down payment on a larger, longer obligation — and most of that obligation is making the system do more, not fixing what broke.
This is not an opinion; it is close to a law of the medium. Decades ago, studying how large systems evolve, Lehman set down what are now called the laws of software evolution. The first — Continuing Change — holds that any system embedded in the real world must keep changing or it becomes progressively less useful. The seventh — Declining Quality — holds that the quality of that system will appear to fall unless it is rigorously maintained and adapted to its environment [2]. The implication is blunt: a system you stop investing in does not hold steady. It slides. Standing still is a direction, and it points down.
It helps to be precise about what "maintenance" even means, because the word makes owners picture repair. The international standard for the software life cycle splits it into four kinds: corrective (fix the defects you found), adaptive (keep working as the surrounding world shifts), perfective (improve and extend what users now ask for), and preventive (harden latent weaknesses before they bite) [3]. Only the first is "fixing bugs." The other three are about staying alive and useful in a world that will not stop moving — and they are where most of the work lives.
Here is the part that overturns the intuition: bug-fixing is the smallest slice. The classic survey of how maintenance effort is actually spent found the lion's share goes to perfective and adaptive work — roughly 60 percent on improvement and new capability, under a fifth on correcting defects, and the rest on keeping pace with a changing environment [4]. So when someone says "we don't need a maintenance budget, the system has no bugs," they have misread the job. Maintenance is not the penalty for having built it badly. It is the running cost of the system still being wanted.
Skip it and the bill does not disappear — it moves, and it moves to the worst possible line. The clearest example is security. Your code can be flawless and still become dangerous, because the danger arrives from outside it: a component you depend on ships a newly discovered vulnerability, and the clock starts. The most recent large-scale breach analysis found that exploitation of known vulnerabilities as the way into a breach jumped about 180 percent in a single year, and that organisations take on the order of 55 days just to patch half of their critical, already-fixed flaws [5]. The disclosure rate itself is now relentless — the public vulnerability catalogue is logging well over a hundred new entries every day [6]. An unmaintained system is not frozen in its launch-day safety. It is sitting still while the threats around it compound daily.
None of this argues for the loudest, most expensive maintenance contract on the menu. It argues for naming the responsibility before you build, not after something breaks. The expensive failure mode is the orphaned system: commissioned, launched, celebrated, then left with nobody whose actual job is to watch the dependencies, apply the patches, and absorb the small adaptive changes the world demands every quarter. The maintenance question — who owns this in month thirteen — is cheap to answer at the kickoff and brutally expensive to answer in the middle of an outage. Ask it first.
Every dollar spent on maintenance is a dollar not spent building the next thing. Ship it, keep the team lean, and only touch the system when something actually breaks. Pre-emptive "keep it healthy" work is gold-plating — the business pays for activity it cannot see and gets no new feature for the money. Run it until it squeaks, then react. Most "preventive" work prevents problems that would never have happened anyway.
Launch is the start line, not the finish. A system earns its return over years, and those years are maintenance. Treat it as a standing line item — a retainer, a named owner, a patch cadence — the same way you treat rent or payroll. The systems that pay off are not the ones that launched well; they are the ones somebody is quietly keeping alive long after the launch party. Unowned software is depreciating from day two.
The cheapest maintenance is the code you never wrote. Every feature, integration, and clever shortcut is a future maintenance liability with compound interest. Keep the system small, lean on well-supported foundations, own your data so you are never hostage to one vendor's lifecycle, and ruthlessly cut scope you will not tend. Half the maintenance bill is paid at design time, in what you choose not to build.
Camp C first, then Camp B; Camp A is how systems rot. Build deliberately small so the surface that needs tending is small — that is the highest-leverage maintenance decision and it is made before launch, not after. Then fund the upkeep of what remains as a standing obligation with a named owner, not a fire drill. Camp A is right that maintenance must not become busywork — but "fix it only when it breaks" quietly chooses the outage and the breach as your maintenance schedule. We build systems lean enough to keep, and we say who keeps them before the first line is written.
- 01What is the honest annual maintenance budget for a custom system — is the rule-of-thumb 15 to 20 percent of build cost per year right for your operation, or does your risk and compliance profile push it higher?
- 02Who should own maintenance — the team that built it, your own people, or a third party — and how do you keep that ownership from quietly lapsing after the first calm year when nothing breaks?
- 03How do you tell healthy "the world changed" adaptive maintenance apart from "we built it wrong" corrective rework that is really signalling a deeper design problem?
- 04When does a system cross from worth-maintaining to worth-replacing — what is the signal that upkeep has become throwing good money after a design that has aged out?
- 05How much maintenance can be safely automated — dependency updates, security scanning, test gates — before a human still has to make the judgement call, and where exactly is that line today?
- [1]O'Reilly — "The 60/60 Rule" (97 Things Every Project Manager Should Know): maintenance is ~60% of software lifecycle cost, ~60% of which is enhancement.
- [2]Wikipedia — Lehman's laws of software evolution (Continuing Change; Declining Quality).
- [3]ISO/IEC/IEEE 14764:2022 — Software maintenance life cycle process: corrective, adaptive, perfective, preventive categories.
- [4]DZone — Lientz and Swanson on Software Maintenance: most maintenance effort is perfective/adaptive, not corrective bug-fixing.
- [5]Verizon — 2024 Data Breach Investigations Report: exploitation of known vulnerabilities up ~180% as an initial breach vector; ~55 days to patch half of critical flaws.
- [6]CVE Program — Metrics: record volume of newly published vulnerabilities (well over a hundred per day).
We build systems lean enough to keep — and we stay to keep them.
A custom system is a decade-long relationship, not a one-off invoice. We scope for the life of the system, not just launch day — owned by you, kept patched and current, with a clear answer to "who owns this in month thirteen." Fifteen minutes to map what your system will actually need after go-live.
Book a free 15-min consultation