From my experience with financial companies, COBOL still is entrusted as the God of all Data and backend processes, but almost no user input is provided directly. In fact, most of the COBOL I've worked with has ASSUMED that the data is good and non-malicious. Either that, or the security checks were in the user interface code, which was abandoned 20 years ago.
My guess on this? The COBOL still out there has very small attack surface...it's encased in a warm, porous, gooey layer of Java/PHP/.NET/Ruby/Groovy/Grails/G-g-g-g-g-unit! The fact that PHP (and to a lesser extent, Java) was designed by and for script kiddies does not help either, buy hey!