Windows XP and even early Releases of Windows have a lot of software resources available. Unofficial service packs and various addons like "KernelEx" can allow them to run software much newer than they could otherwise execute due to compatibility constraints. YOu can find something similar for Mac OS; Though I found PowerPC OS X a bit annoying to find software for, Mac Classic seems to have a lot of software packages including the semi-modern "Classilla" browser. In that context we can probably dismiss security concerns because it would pretty much require that the Classic OS be targeted to be appropriately compromised, so it's less of an issue there.
On the note of security considerations, though, I'm going to partly disagree with camerongray here. At least as it applies to end user consumer systems. Servers and corporate workstations should be kept up to date where possible.
(Mind, I also disagree with the quoted user- Aside from the points Cameron made, System Restore was not removed from Windows and still exists in Windows 10 and Malware often infects System Restore anyway.)
That said, In terms of security, I don't think that vulnerable software or exploits are something that a typical end-user is going to need to worry about, as Trojan horse malware has effectively a monopoly in terms of the infection vectors. People get infected through their own stupid decisions, like setting their AV to ignore and running that installer that the guy said was a false positive, or just happily giving full Admin privileges to this executable you downloaded because you want the shiny carrot on a stick that it claims to provide.
Interestingly, Wannacry actually provides a good example of this.
Consider that the Eternal Blue SMBv1 exploit allowed the malware to spread from one infected system to another *on the same LAN* (Not over the Internet, unless you specifically forward ports and stuff... in which case well have fun). This is obviously a massive issue for large corporate networks, (As seen with the NHS in that case) but despite the noise made about how important it is the patch it, the underlying problem- the patient zero- which was infected was almost certainly via more traditional means. Which also stresses the point: regardless of whether a system is patched, it could *still be infected* by Wannacry via more "traditional" approaches, and can then still spread it's infection to other unpatched systems.
>if you're using an unsupported browser because it's the newest version that supports XP then what if there's a remote code execution vulnerability discovered in the browser that allows a webpage to access the underlying OS?
I do not think that dreaming up what-if scenarios is particularly useful. One can presume of course that remote code execution vulnerabilities have been discovered in browsers and therefore they may remain unpatched going forward for an unsupported version. But knowing that, it is fairly easy to take precautions. Realistically, I'd argue that for the most part those precautions should be done generally, because even the latest releases of browsers are going to contain unpublished and unmitigated security exploits which could be being used nefariously. For example, IMO there is zero reason to ever allow Javascript to run on a webpage by default, except for known safe websites (In which case compromising a vulnerable system means compromising the website). Flash and Java are obviously completely out of the question to even be present to be enabled, too. This greatly reduces the attack surface area and removes the primary "drive by download" vectors, or in many cases makes them require some level of user interaction to for example download a compromised EMF file and then view it with a vulnerable viewer.
Another aspect is that while a system does not become less vulnerable over time, it becomes a far less likely target. Windows XP is arguably not "out of the woods" yet, but eventually it will be in the same bucket as things like Windows 95 and 98, which are not just a security sieve but a chute with included instructions, but it is unheard of that anything targets those systems for compromise, as the affected targets would be so low It's not worth it.
At this Stage I'd argue that as far as exploits go, XP is leaving the focus of malware authors who are now moving towards Windows 7 as their primary target as it nears it's Security EOL. of course I still think "as far as exploits go" is a rather small subset. No sense putting in all the effort to exploit a vulnerability or remote code execution when you can just slap your payload into a program that promises something people want. Nowadays you could probably get a good number of "pwned" systems by simply offering trojan backdoors in a 400KB "Read Dead Redemption 2 PC Conversion super compressed by SkIDmArK.exe" or something, telling them it's a false positive in the readme.txt ("why would they lie, I believe them and also want to play this game so IK throw logic out the window"). They run it, it does nothing, and so they figure it just doesn't work. Then a few months later they take their super slow PC in for service and the tech discovers how they got infected- That's right, their Outlook is missing a security update, so that must be what happened. They give some lecture on security updates and send the customer on their way. Who goes home "Now that my PC is fast again I wonder if that PC conversion of Read Dead redemption 2 will run?" And they start it all over again. Or maybe they see a silly doge screensaver.exe that they just have to have or maybe they see some awesome Windows Theme and must have it and must patch their DLLs and such with untrusted, admin-requiring software because they want the theme.
My analogy would be that as important as it is to make sure the castle walls have no easily accessed entry points or weaknesses, there is also no need to design a sophisticated battering ram to get access when the drawbridge attendant trusts everybody.