"It can cost as much as the business initially invested, if not more, to upgrade," he said.
And that's if the vendor or employees who created the original applications are still even around.
"Organizations tend to be risk averse," said Karl Sigler, threat intelligence manager at Trustwave Holdings. "As long as it's still running, there's no need to fix it. Upgrading can be costly and complex for a lot of organizations."
For regulated industries, that can include compliance audits for each system affected.
"A lot of organizations put it off until the last minute," he said.
He added that some organizations might not even know that they have Windows Server 2003 machines still hanging around.
"A lot of these systems go unidentified, adding risk to a network that's unknown to the IT staff," he said.
Unsupported software doesn't get security patches, and doesn't offer many of the security features that newer releases of the operating system have had added in.
"Later operating systems have user rights management and memory protection features," said Sigler.
Even if the old system is running on a completely private network, it doesn't mean a company can ignore these risks, he added.
"If the server is not publicly exposed to the Internet, the risk the servers presents to the organization is far less," he said. "But perimeter security is not enough anymore. We really need security in depth, layers of security that offer protection regardless of what the entry point turns out to be."
According to West Monroe's Curran, most regulatory clauses require that reasonable security measures be in place to protect data.
"Choosing to do nothing and remain on an unsupported platform may not pass the 'reasonableness' test in the event of a security breach," he said.
That would result in fines, as well as in bad press and lost customers.
Sticking with Windows Server 2003 after June 14, companies may find themselves having to pay hefty support fees to Microsoft.
"Organizations should not expect a reprieve from Microsoft's end of support plans, as Microsoft has been true to its word regarding the end of support for Windows XP," Curran said.
And, in addition to security risks, compliance, and support fees, there are other reasons to want to get rid of Windows Server 2003, said Trustwave's Sigler.
Newer releases are more efficient, he said. They are easier to manage, and they have more functionality.
According to IDC's Gillen, for some companies the best solution may be not to upgrade, but to rip out the old system altogether and switch to a cloud-based, software-as-a-service solution.
"This is particularly true of small and medium-sized businesses," he said. Running Office, Exchange or other Microsoft applications in the cloud could be a better solution for many customers.
Sign up for Computerworld eNewsletters.