From today Drupal 6 websites will not receiving any more official security advisories or patches and are vulnerable to any new security issues discovered in Drupal 6 core or its modules. And yet the CMS is like Windows XP – for some reason users are not upgrading.
Drupal is popular and as such it is a good target for criminals at the best of times and there is a lot of expertise out there in attacking it. The only hope for you if you are still running Drupal 6 is to pay three vendors to give you long term support. Those vendors will themselves receive assistance from the Drupal Security team and are in turn obliged to abide by the same disclosure policy and release patches on drupal.org’s Long Term Support page.
It is not clear how good this service will be, or how much it will cost, so it would be better to upgrade.
Drupal 8 provides a Migration path directly from Drupal 6 as an experimental feature, so sites can update directly to Drupal 8 using either a user interface or with Drush. The Migrate feature will be fully supported in a later minor release of Drupal 8.
Drupal 7 is still fully supported and there is a core update feature when that is a better fit. However Drupal 7 will only be around until Drupal 9 is released so users will end up having to upgrade then too. Switching to WordPress and Joomla is also an option as there are packages to allow this to happen.
The writing has been on the wall for Drupal 6 for five years so the ten per cent figure is rather high.