Low.

While the NSA would, absolutely, use it to elevate existing internal access - it is such low-hanging fruit that they have enough alternative tools in their arsenal that it isn't a particularly big loss. Most of their competent adversaries disabled it years ago (as has been best-practice since 2010~).

More likely, it is Microsoft's obsession with backwards compatibility. Which while a great philosophy in general has given them a black eye several times before vis-a-vis security posture.

Most importantly, the NSA is not just about spying, it is also about protection.

A weakness anyone can exploit in software Americans use is not a good thing for the NSA. If they were to introduce weaknesses, they want to make sure only they can exploit them. For instance in the famous dual_ec_drbg case where the NSA is suspected to have introduced a backdoor, the exploit depends on a secret key. This is not the case here.

On the other hand if Snowden has shown us anything, it is that the NSA is more stupid than it looks.

There are tons of old printers/copy machines that allow SMB access or AD auth that will never see a software update that will break.

Honestly I blame the copy machine manufactures for requiring service contracts for security updates on a lot of this.

Those stupid MFD machines have been the bane of my existence as a sysadmin ever since I started in this career many, many years ago.

It's these machines, plus a few really old windows-only apps deep in basement of enterprises that keep this old tech around. There's usually no budget to remedy, and no appetite to either from leadership

Its also what happens when the people buying the tech are disconnected from the ones implementing. Microsoft caters to this.

Just photocopy some currency. Depending on the machine, it has a good chance of bricking the machine with an obscure error code until a service tech comes out, at which point you can point out this machine is really old and why don't we get a new one.

If you'd rather not commit attempted forgery, just print out some Wikipedia pages about the EURion constellation, which is what they detect in money.

Joking, obviously.

Microsoft supporting something doesn't mean that you have to use it. There's something as personal responsibility.

Do manufacturers also have personal responsibility for making safe products, or does it fall to consumers to become experts in the myriad different fields necessary to asses the safety of every product they buy?