When will they learn?
Always build the control software for these from the ground up, it may be tempting to use an off-the-shelf kernel (UNIX, WinNT, GNU/Linux, or whatever) but there wiull always be a vulnerability in the code. There shouldn't even be enoguh code in there to even warrant using a full-blown OS anyway. The machine only should have just the keypad, card reader, display and a modem and some sort of peripheral control system (For dispensing reciepts, money, etc.).
Most modern ATMs contain a maintenance mode to flash the BIOS, dump logs, etc. If they made the control board simple enough that an engineer could easily swap the board when it is malfunctioning or needs an upgrade. Then they would no longer need any NVRAM or any other writable memory and have all data sent over an encrypted VPN and have all the camera footage / transaction logs written to a central database. Dip it in epoxy and then only the engineers who make the board will ever know how the thing works. While this solution would be much more expensive than the current method, it will be far more secure.