Using an up to date operating system is only "part" of security, its one single layer, usually one would expect in a proper security locked down situation to be many layers, its entirely possible e.g. a Windows XP system can be more harder to exploit than a Windows 10 system.
Whilst newer operating systems will have more "known" security vulnerabilities patched, they also have new features which are possible attack vectors, and not every single vulnerability gets patched, some might be not patched as they not known to the public and some will be 0 day.
In addition as mentioned XP is still supported if you willing to pay for the support, its "inclusive" support that has ended.