This discussion has been rehashed over and over. That assumption ignores the users abilities, 3rd party security-ware, settings, type of attack, and more. It also assumes that attacks that work on newer systems will automatically work on the older ones. The older an OS gets, the less true that becomes. Most all of the rootkit based malware won't function on my system, even if I let it try, just as an exploit that targets a service won't work on a system that doesn't have that service. It cuts both ways. New and patched doesn't equal secure. Old doesn't equal insecure. I don't even want to try to count how many times MS has patched their own patches only to find the same thing exploited again. From the start I said that running an unsupported OS or taking the unofficial support road is not for the casual user. It's for those who know their systems well, including its potential attack surface. All of them can be secured against internet threats. All of them will fall to a skilled hacker.