More than half of the attacks against Microsoft Office applications during the first six months of 2009 were against applications that had not been patched in more than five years. Most of these attacks affected Office 2003 users who had not applied a single service pack or other security update since the original release of Office 2003 in October 2003. The most significant of these is the infamous MS06-027 vulnerability, a remote-code execution flaw in Microsoft Word, which the company patched in June 2006. The data also showed that owners of these PCs were much more likely to have updated the operating system itself in that time frame.
Source: https://threatpost.com/office-attacks-linger-years-after-patches-published-110209/72990/