Physical security.
I work in UK banking, and yes almost all cash machines in the UK that are major bank operated are still generally Windows XP embedded.
They have no internet connection, and they are not generally permanently pinned up. They all use ISDN2e to call up huge arrays of modems generally in Banking DC's.
They only real way to crack them is physically via a USB attack or such like. So you need to gain access to the unit within the locked cage itself.
Also lots of people mentioning NHS computers. Ive also done alot of NHS work in the past, and again "Generally" the machines that are still running XP are on nhs.net which is an internal mpls network which does not have any external access. Only the internal nhs.net Intranet.
Biting the hand that feeds IT
