During a recent vulnerability assessment, it was discovered that a business-critical legacy application is vulnerable to a well-known security exploit. The application is running on an unsupported operating system, and the vendor no longer provides patches. As part of vulnerability management reporting, what should be the primary recommendation to stakeholders to mitigate the risk associated with this legacy application?
Upgrade the operating system to the latest version
Decommission the application immediately to remove the vulnerability
Ignore the vulnerability since the application is business-critical
Implement compensating controls to mitigate the risk