Re: Not going to be just the NHS.
"Working for a higher education institution that will remain nameless, we've been forced to keep IE pegged at 8 and java at 6 (for which we have to pay for extended support) because a shit-ton of our admin software won't work with anything newer."
Possibly unfair in your specific case, but in a shed load of corporates I've seen (and definitely some NHS stuff) the problem is in the basic concept of ramming stuff into browsers that never belonged there in the first place.
With some minor glitches like UAC and fiddling with default user directories (easily patched) we've supported everything from WinNT4 to Win8.1 with no major difficulty and we can still support all those platforms today.
Reason? We coded to a stable API with massive backward compatibility resources always dedicated to it. That would be the Win32 API. All native code, no VMs (unless you count database engines), browsers used appropriately (meaning rendering HTML pages and nothing else), want to display a DOC file or XLS? That's what ShellExecuteEx is for.
To this day our core product is native code virtually all the way. After a decade of pressure from "consultants" we do, finally, have a reduced feature angular.js variant which we explicitly stress is for casual and non-core use only - because I don't trust the JS evangelists of today any more than their Java counterparts a decade ago.
I accept things are changing now, but anyone building a line of business app in a browser even 5 years ago is\was as insane as someone building an enterprise CRM out of Word and Excel macros (or WordPress). Even today there is a lot of angular, rails, ember etc. stuff getting loose in corporate silos where a solid Win32\64 fat client would do the job better.