Why Mainframe Modernization Projects Fail - And What Actually Goes Wrong

Mainframe modernization has a high failure rate, and the evidence is public. Governments spend over $100 billion a year on federal IT while the systems they are trying to replace keep running. Banks have lost hundreds of millions of dollars on migrations that collapsed over a single weekend. Payroll and benefit systems have paid people incorrectly for years. In every one of these cases the organization had a budget, a plan, and a vendor. The technology was never the real problem.
What fails, over and over, across the public and private sector and across decades, is methodology. Projects start without a complete picture of what the legacy system actually does. Business processes get migrated without being redesigned. Security is pushed to the end. The institutional knowledge that keeps the system running walks out the door with retiring staff before anyone captures it. And when oversight bodies flag these exact risks and recommend fixes, the findings get acknowledged and filed instead of resolved. By the time the consequences show up, the budget is gone and the fallback system has already been switched off.
Whether the program is framed as application modernization services, cobol modernization, mainframe application migration, or a broader legacy system transformation, the failure modes are identical. This page lays out the six root causes, the U.S. Government Accountability Office findings that confirm them across $51.7 billion in stalled federal programs, and the real-world consequences when organizations got it wrong. Understanding these patterns is the single most useful thing you can do before you evaluate any mainframe modernization services provider.
The Six Problems That Cause Modernization Failures
1. Replicating the Old System Instead of Redesigning It
This is the most common pattern in failed programs. Organizations move their mainframe to the cloud without changing anything, preserving every old problem in a new, more expensive environment. COBOL modernization that repackages rather than redesigns delivers the same result every time: higher costs with no improvement in capability. Without real mainframe modernization services, the chance for genuine mainframe cost reduction is lost.
Six specific costs never show up in the "lift and shift" business case for mainframe modernization services:
- Dual-vendor lock-in. You trade one mainframe dependency for two: COBOL specialists are still needed for every change, and the cloud wrapper vendor becomes a second dependency you cannot remove.
- Security and compliance blind spots. Repackaging carries forward the same authentication weaknesses and the same absence of application-layer encryption. Modern vulnerability scanners cannot read COBOL, so your compliance team works without visibility.
- Higher 5-year total cost of ownership. COBOL specialists command rising rates, and cloud compute makes overnight batch cycles expensive. Costs diverge year over year instead of converging.
- An accelerating workforce crisis. The average COBOL developer in production today is over 55. Within 5-10 years, qualified maintenance staff may be unavailable at any price.
- Old problems preserved at a higher price. Operations and maintenance keep eating the IT budget instead of funding the work that makes you competitive.
- A permanent business ceiling. Partners want real-time APIs; the repackaged system still produces nightly batch files. Revenue tied to partner ecosystems, mobile channels, and self-service portals stays architecturally out of reach.
Mainframe modernization services that avoid this failure mode redesign the business processes and rebuild the application components for a modern target. They do not preserve legacy structure on new infrastructure.

2. Underestimating How Complex the Existing System Really Is
Underestimating complexity is the leading cause of cost overruns. Decades of undocumented business rules, workarounds, and hidden dependencies make planning unreliable. Successful mainframe modernization services, cobol modernization, and mainframe application migration all depend on thorough discovery. When discovery is rushed or skipped, budgets blow out, timelines slip, and critical requirements surface too late to fix at a reasonable cost.
3. Lacking the Expertise to Redesign Business Processes
Mainframe systems were built around scheduled batch processing, file-based data exchange, and text-based terminal screens. Moving to a modern platform means rethinking how work actually flows: batch to near-real-time, file transfers to direct system integration, terminal screens to web and mobile. Effective mainframe modernization services, mainframe migration services, and cloud migration services have to include process redesign expertise. Without it, organizations just automate outdated workflows instead of improving them, which is where many application modernization services programs fail to deliver the value that was promised.
4. Losing the People Who Understand the System
The developers who built and maintained your mainframe are retiring, and much of what they know was never written down. It leaves with them. application modernization services and mainframe modernization programs depend on capturing that knowledge before it is gone. Without a workforce continuity plan, modernization teams inherit systems they cannot fully understand. Strong mainframe modernization services include structured, AI-assisted knowledge capture before institutional knowledge walks out with retiring staff.
5. Treating Security as Something to Handle Later
Legacy systems carry decades of accumulated security vulnerabilities. When cybersecurity and privacy get deferred to the late stages of a mainframe modernization services program, the cost and risk of fixing them multiply.
6. Acknowledging Audit Findings but Not Acting on Them
Governance reviews identify risks and recommend corrective action. When those recommendations are accepted but never implemented (sometimes for years) the same problems reappear in the next mainframe modernization services program, made worse by time.
The Evidence: What GAO Found Across 2024-2025
The U.S. Government Accountability Office (GAO) [https://www.gao.gov] has tracked federal IT modernization across multiple oversight reports published in 2024 and 2025. The findings confirm that these six problems are not theoretical. They are documented, measured, and recurring.
Scale of Spend and Pattern of Regression
- $100B+ spent annually on federal IT, the vast majority on operations and maintenance of existing systems, not innovation. Organizations continue running critical missions on decades-old technology. (GAO-25-107743 [https://www.gao.gov/products/GAO-25-107743])
- GAO's 2025 High-Risk Report identified 38 high-risk areas: up from the prior cycle, with IT acquisitions and management as one of only three areas that regressed. (GAO-25-107743 [https://www.gao.gov/products/GAO-25-107743])
- The Social Security Administration spent approximately $2.2 billion on IT in FY2024, with about 90% going to operations and maintenance, infrastructure, and cybersecurity rather than modernization. (GAO-25-107200 [https://www.gao.gov/products/GAO-25-107200])
Program Delivery, Workforce, and Oversight Failures
- A March 2025 GAO review profiled 16 mission-critical IT acquisitions across 11 federal agencies, expected to cost at least $51.7 billion total. Ten of 16 programs reported that not proceeding would put the agency's ability to meet mission needs at risk. (GAO-25-106908 [https://www.gao.gov/products/GAO-25-106908])
- Skills gaps contribute to 20 of GAO's 38 high-risk areas. 34 of 53 DOD software programs cannot hire enough skilled people. Four of 24 major agencies have not fully implemented IT workforce planning. (GAO-25-107852 [https://www.gao.gov/products/GAO-25-107852])
- Of 1,881 IT-related recommendations made since 2010, 463 remained unimplemented as of January 2025, including 32 of 69 designated priority recommendations. (GAO-25-107852 [https://www.gao.gov/products/GAO-25-107852])
- None of the 24 major federal agencies fully met statutory requirements for annual IT portfolio reviews. Eight agencies with IT investments rated high-risk for four consecutive quarters did not follow the required review process (five did not perform the reviews at all), permitting investments with substantial cost, schedule, and performance problems to continue unabated. (GAO-25-107041 [https://www.gao.gov/products/GAO-25-107041])

Security Exposure and Mission-Critical Risk
- Seven of 16 mission-critical IT acquisitions identified high cybersecurity and privacy risks, where an adverse incident could have severe or catastrophic effects. Some systems are over 30 years old, with replacements not expected until 2035. (GAO-25-106908 [https://www.gao.gov/products/GAO-25-106908])
- After a 2023 national airspace shutdown caused by a legacy system outage, FAA assessed all 138 air traffic control systems: 51 (37%) are unsustainable and 54 (39%) are potentially unsustainable. Some systems are 30-50 years old, modernization for the most critical won't be complete for 10-13 years, and four critical systems have no mainframe modernization services investment planned at all. (GAO-24-107001 [https://www.gao.gov/products/GAO-24-107001])
These findings confirm that deferred modernization creates compounding institutional risk. The same pattern is what drives demand for application modernization services across every sector that still runs on legacy infrastructure.
How These Problems Map to Documented Outcomes.
Problem
What Goes Wrong
GAO Evidence
Replicate without redesign
Old problems are preserved in a more expensive environment.
O&M spending still dominates $100B+ in annual IT budgets.
Underestimate complexity
Missed rules and dependencies cause project overruns and delays.
16 programs totaling $51.7B+ were reviewed, with many stalled; 10 of 16 agencies said failure would risk core missions.
Lack process redesign expertise
Outdated workflows are automated instead of improved.
FAFSA rollout reduced first-time applicants by about 9%; VA EHR reached only 6 of 160+ sites after four attempts.
Lose critical skills
Institutional knowledge disappears without a succession strategy.
34 of 53 DOD software programs reported staffing shortages; skills gaps affect many high-risk areas.
Treat cybersecurity as an afterthought
Security issues are discovered late, increasing project risk.
7 of 16 programs had major cybersecurity concerns, including systems over 30 years old.
Ignore oversight recommendations
Known issues remain unresolved for years.
463 of 1,881 GAO recommendations remain open, and IT management was downgraded in 2025.
Real-World Failures: US Public Sector
California Employment Development Department - $20B+ in Fraud (2020-2021)
When unemployment claims surged in 2020, California's Employment Development Department (running a COBOL-based mainframe dating to the 1980s) could not keep up. The system lacked capacity, could not implement new federal programs quickly, and had minimal automated fraud detection. A 2021 state audit estimated approximately $20 billion in fraudulent payments, described by investigators as "perhaps the largest fraud wave in history." California had known for years the system needed replacement, but modernization was repeatedly deferred.
Sources: California State Auditor [https://www.auditor.ca.gov] Report 2020-128 (Jan 2021); GAO-22-104251 [https://www.gao.gov/products/GAO-22-104251] (Jun 2022)
U.S. Internal Revenue Service: A 1960s System Still in Production (1962-ongoing)
The IRS Individual Master File (processing tax records for over 100 million Americans) was built by IBM in the 1960s for the System/360 platform. It is written in COBOL and assembly language and remains in daily production over six decades later. On Tax Day 2018, the IMF suffered a hardware failure that shut down electronic filing nationwide. In 2020, the system could not be modified fast enough to disburse COVID stimulus payments correctly. The IRS began building a replacement in 2000; it was halted in 2009. A second attempt started in 2009 with a 2014 target. Full implementation was delayed to 2030.
Sources: GAO-18-298 [https://www.gao.gov/products/GAO-18-298] (Jun 2018); GAO-22-104387 [https://www.gao.gov/products/GAO-22-104387] (Oct 2021); GAO Watchblog [https://www.gao.gov/blog] (Nov 2021)
Real-World Failures: Private Sector
TSB Bank (UK): £330M+ Core Banking Migration Failure (2018)
TSB Bank attempted to migrate 5.4 million customer accounts from Lloyds Banking Group's IBM mainframe-based core banking platform to a new system. The migration, executed over a single weekend, failed immediately. Up to 1.9 million customers lost access to banking. Some could see other people's account details. The CEO resigned. UK regulators fined TSB £48.65 million for inadequate testing and poor risk management. Total losses exceeded £330 million.
Sources: Financial Conduct Authority [https://www.fca.org.uk], Final Notice (Dec 2022); Prudential Regulation Authority [https://www.bankofengland.co.uk/prudential-regulation], Final Notice (Dec 2022)
RBS/NatWest Group: Mainframe Batch Processing Failure Affecting 6.5 Million Customers (2012)
A software update to the CA-7 batch scheduling system on RBS Group's IBM mainframe infrastructure was corrupted during deployment. The entire batch processing pipeline stopped. Customers of NatWest, Royal Bank of Scotland, and Ulster Bank lost access to ATMs, had payments misapplied, and experienced weeks of disruption. The Financial Conduct Authority fined RBS Group £42 million for "unacceptable weaknesses in its IT systems."
Sources: Financial Conduct Authority [https://www.fca.org.uk], Final Notice (Nov 2014); House of Commons Treasury Committee [https://committees.parliament.uk/committee/158/treasury-committee/] (Oct 2012)
Hershey Foods - $150M+ Mainframe-to-ERP Migration Disaster (1999)
Hershey attempted to replace its legacy mainframe-based order processing systems with a simultaneous go-live of SAP, Manugistics, and Siebel software, just months before its most critical sales season. The new systems failed to process orders correctly from day one. An estimated $100 million in orders sat stranded. Q3 1999 revenue fell 12.4%. Total losses exceeded $150 million. The case remains one of the most widely studied mainframe-to-modern migration failures in business history.
Sources: CIO Magazine (Nov 1999); Wall Street Journal (Oct 1999); Computerworld (Nov 1999)
How to Evaluate a Vendor Before You Commit
The evidence above makes one thing clear: choosing the right mainframe modernization services partner matters as much as choosing the right technology. Use this checklist when you evaluate any provider.
- Do they start with fixed-cost discovery? Any vendor that skips discovery or buries it inside an open-ended time-and-materials engagement is shifting risk onto you. A credible mainframe modernization services provider offers a bounded discovery phase with defined deliverables before asking you to commit to a full program.
- Do they redesign processes, or just migrate code? Ask what their application modernization services scope covers beyond the technical migration. If the answer is limited to lifting and shifting logic, expect to keep every legacy bottleneck in a more expensive environment.
- Do they have a documented three-phase process for knowledge recovery? Credible cobol modernization and legacy system transformation vendors can explain how they discover current-state rules (AI-assisted extraction), validate them with your team (SME workshops), and produce a target-state specification that redesigns for modern capabilities instead of just migrating what exists. Ask to see an example deliverable from each phase.
- Can they demonstrate AI-assisted COBOL analysis? Recovering knowledge from undocumented COBOL is the single hardest part of any mainframe modernization services Ask how they approach it and what structured deliverables they produce.
- Do they have full-stack cloud delivery capability? Understanding COBOL is not enough on its own. The team doing the build has to be strong in modern architecture, cloud infrastructure, enterprise data engineering, and the rules-engine technologies that keep the result maintainable.
- How do they handle post-go-live support? Structured hypercare, knowledge-transfer documentation, and a defined exit from delivery into operations are non-negotiable. Ask for examples from completed programs.
When you evaluate any mainframe modernization services provider, require documented evidence of delivery against each of these criteria. Proposals and references are not enough; ask for deliverable samples and program timelines from completed engagements.
We Built Our Methodology to Eliminate These Failure Modes
Every element of our mainframe modernization services approach (AI-powered knowledge recovery, joint working groups with your SMEs, rigorous parallel testing, enterprise-grade cloud foundations, and continuous knowledge transfer) maps directly to the problems documented above. Our full mainframe modernization services portfolio, from application modernization services through enterprise cloud migration services, is built from the ground up to avoid these failure modes and deliver real mainframe cost reduction and lasting legacy system transformation.
The pattern across every documented failure is the same: good intentions, poor methodology, and the wrong partner. Well-executed mainframe modernization services (with the right methodology, the right tools, and the right team) deliver the outcomes these programs promised and did not.
Ready to Explore?
Start with a complimentary 60-minute discovery consultation: no sales pressure, just an honest conversation about whether transformation makes sense for your organization.
Comments