You're right, but you might be disappointed in how seldom network operators actually install updates. It isn't uncommon to find switches with a year of uptime still running the factory software that came preinstalled. (I'm obviously not trying to defend this malpractice!)
You can easily find firmwares for older EOL systems. Cisco isn't even gonna fight that. Readily available on the Bay of Yarrrrrrr
Newer firmwares for Cisco, Juniper, Brocade, et al, are a little harder but still easy to find.
In both cases caveat emptor, since you have no way of knowing if they're trustworthy or not. I messed around with some older yarrrrrr firmware when I was studying for my CCNP and built a lap from craigslist hardware, but that was behind a pfsense firewall I built myself and kept totally away from anything that mattered. No malicious behavior AFAIK, but I'd never trust those IOS/IOS-NX images in Prod.
Well, Cisco publishes both MD5 and SHA-512 hashes for all their updates. It would be pretty impressive for a bad guy to build an evil file that has both an MD5 and also SHA-512 collision. You might need an active CCO account to view http://software.cisco.com, though.
