re: Windows XP Malware: 6X As Bad As Windows 8
Locking down systems e.g. softeware install policies, no user admin login, no local admin, change flash, browser, et al login to least privileged (not system), and other good security policy goes a long way but you will get push back from "power lusers" (c.f. Vista). Users get ticked off when autorun or upnp is turned off, have to wait for their USB key is scanned.
We've setup XP embedded systems using "Syslogon" (basically user logs on as system early in the boot process)(does.not load winlogon baggage) and as configured withstood attacks that hacked Win7.