Re: What are they waiting for
I'll bet some of these "air gapped" systems have a modem or possibly a leased line connected to a private network (the beancounter says "air gapped from the internet is good enough, right?")
Air gapped systems still need to be supported, which implies something gets access to them at some point. You could say "fine, everything that touches them has to be air gapped" but that's reductio ad absurdum.
A vendor creates a software update, intending to deliver it to the air gapped customer systems. How do they get that software update off their non-gapped developer machines onto an air gapped system in a 100% secure manner. Answer: you can't. They'd have to have 100% air gapped developer machines, which is totally infeasible.
Another issue is that too many will assume that because systems are air gapped, they're secure by default and thus don't need to be locked down, don't need good passwords, don't need patching, etc.