Most of those who are running XP systems are doing so because the bespoke software they had written/bought back in the early noughties will only run on XP. They chose NOT to pay to update that software to run on Win7/8/10 and thus exposed their nether regions for the script kiddies to maim. Don't start bitching about someone not supporting an obsolete OS when you were given PLENTY of warning that it would no longer be supported. The fault is yours, you were too cheap to get your bespoke software upgraded.
Lesson learned? I seriously doubt it. I recently saw an SQL 2000 server that still had no SA password set. Slammer anyone?