Running a 2 year old copy of OpenBSD still safe (unless you make it otherwise). Your Linux ISO from 2 weeks ago is already vulnerable.
Is my old data on a cloud based system considered abandoned if I continue to actively use the system but don't touch some items?
This is one of the problems the ISPs want clarified; the law doesn't specify if the whole account has to be inactive, or just certain items. The law has many other problems because of changes in modern technology.
1 Sagan = Billions & Billions