Regarding the ATM hack cited, it seems to me that the vulnerability has more to do with a machine design that allows someone to patch in a laptop, and also a lack of protocols that should have prevented someone from impersonating an onsite ATM technician. Even if there were a Windows OS security fix to block one form of malware, the hackers will simply create a new version so long as they have physical access to the machine's USB port.
It's a couple items ,and for sure, physical access makes things harder, but the longer an OS lives, the more vulnerable it can be if not kept patched.
This is a constant race between security and criminals.