You’d be foolish to omit network vulnerabilities as part of the issue. As a server administrator and network engineer, I can tell you that everything from your ISP modem to your iPhone are scanned on a regular basis from points all around the world for port and protocol vulnerabilities every day, every hour, every minute.
I run a VM server and host several gaming clan sites and voice services from my home, and my logs are flooded with requests from all over the globe: Romania, France, Sweden, Russia, China, Vietnam, the Phillipines, Venezuela, Brazil, you name it. I’ve set up filters on my proxies to prevent IPs from Russia and China, specifically, but my firewall logs are constantly hammered. They’re scanning every possible port from lowly SSH (22) up through the higher random ports most Windows systems use (1024-65K). If they find something, they’ll get in.
This is where I tell everyone who is using Windows XP to STOP USING WINDOWS XP! I don’t care if you’re in your 60s and XP “just works,” for us younger whippersnappers, there’s nothing more laborious or frustrating than getting a call from our elders about computer problems and coming to find out you’re running XP. Would you still be driving around an Edsel if you could? C’mon! XP is a giant vulnerability matrix. You’re on your own VERY soon, as MS no longer supports the OS in any way.
Many POS systems are running XP or some screwy Windows variant. There are plenty of FREE Linux distros for POS. Most large businesses like Target don’t want to invest the money for the right people to do a large-scale implementation, but we do exist.
Businessweek has an article that saying that 95% of ATMs worldwide are still using XP. Support for embedded XP ends in 2016, instead of this year for regular XP. It wouldn't be surprising if POS systems have similar ratios.