The Log4j vulnerability discovered late last year could continue putting systems at risk for “a decade or longer,” as unpatched instances linger on systems, according to a new report out this week.