MS Product Lifecycle FAQ (including Embedded)...
"To any other vendors who shipped Windows as the underlying OS for management or client software, or as the embedded operating system, we ask: where are your responses?"
Er, just wondering whether you've had an answer from (or even asked) MS's spinners whether the relevant fixes have been made available to those licenced to use the still-supported variants of XP Embedded (which isn't quite called that but that's what it is). Without those fixes the other options are a bit limited.
Extract from https://support.microsoft.com/en-us/help/18581/lifecycle-faq-windows-products
How does the end of support for Windows XP impact Windows Embedded products?
Windows Embedded products have their own distinct lifecycles, based on when the product was released and made generally available. It is important for businesses to understand the support implications for these products in order to ensure that systems remain up-to-date and secure. The following Windows Embedded products are based on Windows XP:
...
Windows Embedded Standard 2009. This product is an updated release of the toolkit and componentized version of Windows XP. It was originally released in 2008, and Extended Support will end on January 8, 2019.
...
++++
Which rather implies that if builders using a Windows OS in an embedded way had used a Windows OS sold for embedded purposes, rather than using a limited-lifetime desktop Windows, they wouldn't currently be without support. Not that it would have changed the bigger picture, because loads of allegedly supported desktop and server Windows OSes were and are still vulnerable and play an important role in this picture.