Generally speaking, yes. Anyone running Windows XP on a computer connected to the Internet will be susceptible to new attacks on the OS Kernel which may have holes that are still open, or new viruses and malware. Given Microsoft spent the last near 15 years issuing security patches for Windows XP, that in and of itself should tell anyone with a functioning brain that they'd best move off XP and onto an OS that'll continue to have security patches issued, or they'll have only themselves to blame when their computer gets infected, becomes useless and they lose their data.
Now for Banks and ATM's: I cannot speak for every bank, only the few I'm familiar with that I've worked on ATM Projects for.
Banks (generally speaking) do not have their ATM's on public networks, meaning internet accessible. In the implementations I'm familiar with (including the one I'm working on now...) ATM's are connected back to the bank or a third-party service provider via a closed network. That network may be a MAN (Metropolitan Area Network) MPLS, occasionally closed DSL. In rare cases, I've seen ATM's connected via encrypted WiFi. Never have I seen an ATM directly or indirectly connected to the Internet.
Since the implementations I'm familiar with went to great lengths to ensure the ATM's were in no way accessible via Internet, the likelihood of compromise/infection was very, very low. That's not to say it cannot happen, anything's possible to someone with the will and desire to hack.
FYI, there is a huge banking industry effort to get off Windows XP and onto Windows 7. Since ATM's are touch devices, I'm pushing the Bank I work for and the ATM Device Manufacturer (Diebold) to focus on Windows 8 instead which would be more efficient, and "native" to the ATM Program Software itself. The delays in getting off Windows XP are mostly due to ATM Manufacturers having to re-write device drivers for the components in the ATM's to work with a new OS. The ATM Manufacturers are seemingly always behind in that regard, at least that's been my experience the last 10-12 years.
Thanks again for the great explanation. It makes sense that ATMs would only be on a private network, but your comment got me to thinking about the number of non-ATM systems that might use XP or XPEmbedded, that are on the internet. Even some as critical as POS terminals, credit-card swipe terminals, etc. A reputable outfit like Diebold would notify them and make it easy to upgrade but I won’t be surprised if there are others who don’t, and allow those systems to become more vulnerable.
Probably a good opportunity for Linux or an embedded OS like QNX to make some inroads, but the changeover cost would be much greater than just moving from XP to Win 7 or 8.