This has left some old or redundant systems open to data lapses," claimed White.
Something about this doesn't quite ring true. It should be possible to (at least try to) ensure data is secure without needing to upgrade the equipment. Encryption etc can be done for free (although businesses do tend to want key management systems etc). At the end of the day, if you've got a Windows 2000 machine that can't be upgraded (because you can't afford it, and there are no longer updates coming through) the answer is quite simple: don't use that machine for customer data.
Things are tight for small businesses, and due to their size they won't always include someone who knows what needs to be done (leading to extra cost as you need to hire someone in), but customers are essential to the business. Risking their data is not a good long-term business plan, in any sense, and businesses need to become more aware of this, blaming it on old hardware just doesn't cut it IMHO.