Windows XP is out of support and no longer receives Security Updates, and hasn't received regular security updates since April 2014. Microsoft has provided a few out-of-band security updates for serious issues like this one to the public and continues to provide security updates and bulletins to corporations paying for extended support contracts.
The last Security update for Windows XP was KB2965111 on May 1st, 2014, (which was also an out-of-band update). I can find no reference or information about XP updates (KB articles) issued after that date.
Some users have decided that fiddling with their registry to make Windows Update identify their system as a POS Terminal system is a sufficient replacement, as those continue to receive EFT security updates. The fact that EFT security patches aren't particularly useful on consumer systems doesn't seem to affect their glee at "beating the system".