Why does that matter though? Are there still zero-day vulnerabilities? If the platform is stable and secure today, what makes it stable yet insecure a year from now?
It doesn't actually become any more insecure technically, it's just that as time goes by, people discover more of the existing security holes. While a Windows version is supported, Microsoft will patch those as it learns about them (sometimes before other people do, sometimes after), but once a Windows version is not supported, Microsoft generally does not patch those security holes even after it learns about them. So while the total number of security holes remains constant, more and more of them become known to various groups of people, and thus they become easier to exploit.
That said, even supported versions of Windows are not entirely secure. There are almost certainly security holes in Windows 8.1 that Microsoft doesn't know about that could be being exploited today, and could be in the future. There will still be zero-day vulnerabilities, affecting XP (and earlier) through 8.1 (and eventually, later), it's just that it's unlikely that Microsoft will fix them on XP. My suspicion is Microsoft would in fact patch XP if something really severe happened, since it would look really bad if they didn't when XP has over 20% usage share, but for the more ordinary stuff, they won't. They're already issued one XP patch after the official end of support.
My position is that how you browse the web still greatly outweighs what operating system you are using. Someone who's smart about their web usage will likely do just fine on Windows 2000, unpatched since 2010, whereas those who are careless will still get viruses on Windows 7 and 8.1, even when fully patched.