Plaintext, sure, but it was certainly common still to use SHA-256 which is very quickly cracked if your password is short.

Doesn't mean that the infra is still ancient. What I see a lot is tech debt from migrations. Lots of times both the old and new systems have to work together for a period of time, so you leave certain legacy protocols and flags in place for the transition period and then the new system is never fully "updated" to the new standards. Pre win2k AD, file path lengths, encryption protocols, etc etc. Sure, the new system is "up to date" but the old compatibility settings remain.

This is also how feature flag services become mission critical because everything gets launched behind feature flags that never get cleaned up