I have worked at several large companies that purchased very expensive software systems with varying results. In all cases the evaluation ultimately fell to one individual. The ability to immediately enter a market and be up and running over night is substantial enough that these large systems are worth every penny. These systems have long term coat implications, due to either poor architectures or outdated technologies, that are often missed in the initial analysis. How to avoid these pitfalls of purchasing software will be demonstrated through simple analysis techniques.
Make a list of the technologies used by the application and break the technologies down into groups by timeframe so execs can really understand what is being purchased. Run the source code through a line counter and assign percentages to each technology being used. Ideally you don't want any vb6 at this point but you would likely not sweat an app that is 5% vb6 but if the app was 55% vb6 you really should think twice.
Code quality is hard to determine but having a seasoned software developer scour the code for consistency would be invaluable. NDepend is a good tool for automating analyzing .net code. Repeated code or code marked obsolete are obvious signs of poor code quality. Having a passing set of meaningful units or integration tests is a sign of a good code base. A developer is likely the best person to determine if the tests are meaningful. Good code bases tend to have class files less than 400-500 lines in .net. Large god classes of 3000+ lines of code are a strong indicator of poor design. They are a nightmare to understand, maintain, or extend.
Make a list of the security vulnerabilities of the system. Legacy systems are prone to SQL injection attack vectors. Part of the security list should contain all the security technologies used in the application. Are you using forms authentication or are you using home brewed security mechanism would be a typical question for a asp .net application.
There are many other things to consider when purchasing a large enterprise system. Is the database in a healthy state? Does it come with an installer? Is there current documentation? Is there a consistent architecture in the app? Are you able to build reports on the system directly from the data store? If you need help evaluating a system I am available for a small consulting fee;)