Re: Make these a federal crime.
"because C-suite don't want to invest in replacing it and individual departments can never afford to."
The replacements will probably have the same problem because general purpose OS vendors' products have shorter life cycles than expensive H/W. Tying H/W replacement to the life of the OS effectively means that working H/W which cost serious money is junked and the cost of using it is inflated.
I'm not sure to what extent this still operates but there used to be public appeals to buy a scanner or whatever for the local hospital. Such appeals are likely to fall on deaf ears if the public realise that the product of the last appeal has been dumped prematurely for no good reason (and an OS vendor abandoning their product isn't a good reason).
Even if the OS is replaced the revised system would need to be recertified and that's also expensive.
AFAICS the long term solution is to ensure that the components, including S/W of medical systems adhere to well-defined stable and open interface standards so that any one component, and especially the more peripherals ones, can be replaced with certification applying only to the interfaces they present.