My day job is with the U.S. Dept. of Defense. I see some things called the Information Assurance Vulnerability reports, which come in Alerts (IAVA) and Bulletins (IAVB). There is also a "T" but that is rarely worth attention. They are issued from many sources and are reported through NAVNETWARCOM (Naval Network Warfare Command) as a central tracking point. Hacking of government sites is serious enough that the US Navy created a command specifically for fighting against hackers. You could perhaps accurately say that while I don't carry a weapon or launch a missile, I am a front-line fighter in the international war against terrorism - in this case, terrorism by hacking.
My position includes keeping my O/S patched on a regular basis. I also need to keep up with these IAV notices because the US Government tracks these notices across every machine in their category. As a general rule, a machine that isn't patched in a timely manner has to be dropped from our networks, patched, and then fully scanned so that it can be certified as having up-to-date patches. At my work site, we have a whole group of nearly two dozen people whose primary job it is to keep machines in a ready-to-run state. It is a full-time job and often more than full-time. Multiply that by how many government offices exist in the USA and you might get an idea of just how seriously we take this job.
The problem with running older machines is the lack of new patches to fix new vulnerabilities found in those older machines. Once Microsoft drops support for an O/S, you should seriously consider dropping all use of that O/S as quickly as possible. Otherwise, you will NEVER keep ahead of the hackers.
Hackers can be subdivided into two categories - targeters and browsers. Targeter hackers have an agenda with an agency, company, or industry. They attack based on what their targets do. They want to do damage or want to steal some part of a company's intellectual assets. They may be performing espionage for hire or they may be looking for secrets to sell within a particular industry.
The browsers are just grazing the net looking for what we call low-hanging fruit. If they see signs of a weakly secured site, they hack in. They see what, if anything, they can find. For the browser hackers, it is all about targets of opportunity, which means you want to give them no opportunity. Running an older O/S is a flare-lit signal for them to attack, almost like a shark feeding frenzy.
The hackers go where they think they have the best odds. This means they play the law of averages. Most people use Windows for their workhorse machines, so that is what gets attacked first. Assuming a "normal" distribution of patching, the greatest number of un-patched or partially patched systems will be Windows-based. This means the hackers who hack Windows systems have the best chance of finding something.
The next category is UNIX. That gets attacked a lot. The MACs are just now coming into general use ever since they gained the ability to run Office-compatible code. So they get their share of assaults as well, and it is growing. Other operating systems such as OpenVMS are not being hacked for a couple of reasons including that you CAN'T hack OpenVMS in the same way that you hack other systems. It is not invulnerable, but it happens to not be vulnerable to the most common attacks - buffer overflows with specially constructed messages. Problem is, it is a "mature" O/S - translation: Nobody wants to use it any more because it doesn't run modern Office s/w.
I am not able to give you accurate statistics because I'm replying from my home system. I cannot get to a site that holds the "real" hacker statistics from here. However, I can state without fear of contradiction that hardening a system to resist hacking attempts is not trivial and is never done. On the 15th of this month alone, we got over 20 new IAV notices of specific vulnerabilities on a mixed bag of products from MS Windows itself, DNS services, Office, Excel, Power Point, and some non-Windows networking products. We'll get more notices on the 1st of the month. Every two weeks, not quite like clockwork but almost, we get a new cycle of alerts. If this kind of information persuades your bosses to think about upgrading, be my guest to print this out and give it to them.