A patched system with a firewall on and without "trojan horses" brought in by the user is relatively safe.
XP will stop getting patches soon.
And this list (http://www.cvedetails.com/vulnerability-list/vendor_id-26/pr...) is only going to get longer and longer, because even though Microsoft will be EOLing XP, there will be tens of millions of Internet facing machines using it, probably even in 2020.
Having a firewall + not loading trojans gets you 99.9% of the way to security.
The problems are that normally people (A) don't want to deal with the hassle of a firewall, and (B) don't like to be cautious about opening attachments (C) People don't like to be restrained about what they click on, and finally (D) People tend to browse with all sorts of plugins loaded (not to mention Javascript being almost universally loaded).
For those people, yes, they will need to have a lot more handholding by their operating system vendor.
For somebody running a Windows XP system that doesn't have to do any of those (Cash Register, Kiosk, Office Machine) - they are fine, can be locked down, and can probably run Windows XP for the next 20 years without concern.
XP will stop getting patches soon.
And this list (http://www.cvedetails.com/vulnerability-list/vendor_id-26/pr...) is only going to get longer and longer, because even though Microsoft will be EOLing XP, there will be tens of millions of Internet facing machines using it, probably even in 2020.