A car, or even an air-conditioning unit, might be expected to last for 25 years. It won't be acceptable to scrap cars after five years, as we do with laptops, since the embedded carbon cost of a car is about equal to its lifetime fuel burn. But who will be responsible for providing the security patches? Will it be the OEM, or specialist firms that guarantee long-term support? Will we have to re-do the safety certification of cars and medical devices with each patch cycle, or will we use architecture to control the costs, perhaps by having a specialist firewall that can be upgraded? In any case, what will be the effect on the economics of safety and security, and on the kind of tools that we use to write and maintain software?