Running a 2 year old copy of OpenBSD still safe (unless you make it otherwise). Your Linux ISO from 2 weeks ago is already vulnerable.
Is my old data on a cloud based system considered abandoned if I continue to actively use the system but don't touch some items?
This is one of the problems the ISPs want clarified; the law doesn't specify if the whole account has to be inactive, or just certain items. The law has many other problems because of changes in modern technology.
Old programmers never die, they just branch to a new address.