Windows XP is mostly fine on the internet if you have a good hardware firewall in front of it, but if it's directly exposed to the internet in any fashion, it will be owned in literally minutes.
I had a customer with an old Bosch DVR that was Windows XP based. He got angry letters and phone calls from his ISP telling him he had a zombie on his network, which was the DVR. Despite my warnings, he had the thing DMZ'd on his router and didn't actually have a monitor hooked up to it, so he couldn't see that someone was remotely controlling it. They had left the DVR software running so he didn't suspect anything and were just casually using it as a zombie to DDoS random targets.
I cleaned the thing up, and as a test, I put it back on the net DMZ'd and it was literally minutes before you saw someone else exploit the box and take full control of it. I made sure the customer saw the whole thing because he couldn't believe it.