Unbelievable
As much as I may get slated for saying it, I'm not shocked - or even object - to the use of Windows as the OS for this sort of device. Windows, as well as Linux, BSD, QNX and others would be fine for the job. All of the above platforms are used in embedded environments, including safety critical appliances.
However, using one that is so, so old is unforgivable. On top of that, using vanilla USB is plain stupid, and I'm also assuming that the OS is set to autorun when the stick is inserted. Unless they are doing something clever and essentially bypassing the OS or exploiting a vulnerability then the reason this can be achieved is because of one thing - piss poor configuration.
I don't care what OS they are using, but if it's set to auto-execute anything plugged into the UNIVERSAL serial bus, and the environment is running privileged then it's totally irrelevant what platform the vendor has used. If it's a vuln in the OS then the vendor should be using a patched and up to date platform, and also additional measures should be in place regardless.
Even if you get into the OS and can spin up a shell or GUI, then why should that just give away access to the safe? Maybe after hours and hours, but by getting into the existing / current session should not be enough anyway. The control software should be secure, require all sorts of authentication and authorisation....
It's very easy to slate Microsoft, but actually I fail to see how it's the fault of the OS here. The vendor is exposing USB, on a platform built 14 years ago, without good security best practice once you have a session.
Shit security by shit design.