I will say that at this point WinXP or earlier users do not constitute a very tempting demographic for "your average nefarious players."
There has to be a relatively large payoff to dedicate the time and resources to create malware, ransomware, viruses, etc., even if that "large payoff" is the makers amusement at the havoc they wreak.
Windows XP and earlier constitutes such a small user base that it's no longer a "rich target rich" environment.
It's abundantly clear from what's been said in this thread that pretty much everyone knows that XP is dead as a fully functioning general purpose OS in the modern world. There will always be those who want to use something "quaint," and who will, knowing the risks involved. So long as they do, that's their choice to make. Even if they don't, that's their choice to make. Ignorance is, as the old saying goes, bliss.
Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134
. . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it. The willing suspension of disbelief has its limits, or should.
~ Ruth Marcus, November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story