Meh.

If the other layers of security are in place, the risk can be managed.

The problem you describe is from things like that XP user running as admin, a failure of security layering.

Security isn’t just having all the updates, which is the implication statements like this makes.

I have XP VM’s with no service packs that connect to the internet. They’re NAT’ed in VMware to an isolated subnet that has its own firewall. No MS ports are permitted out of that subnet other than RDP, and that only from specific IP addresses. There’s more, but even just this addresses most security concerns.

This is used for testing specific software that only runs on XP.

Ooh, I had a serial mouse (9 pin) from Microsoft of all companies, in the 90’s.

Damn good mouse.