Well, with Microsoft (and many other software company) ready to pull the plug of updates on this OS, I hope you have faith in your antivirus to stop every unpublished exploit.
Anti-Virus systems are not required for anybody who practices even a tiny modicum of caution (Don't browse with plugins like java enabled, never open attachments, don't click on links) - and in stand alone with a half decent set of firewall rules your Windows XP system will be fine.
A patched system with a firewall on and without "trojan horses" brought in by the user is relatively safe.
XP will stop getting patches soon.
And this list (http://www.cvedetails.com/vulnerability-list/vendor_id-26/pr...) is only going to get longer and longer, because even though Microsoft will be EOLing XP, there will be tens of millions of Internet facing machines using it, probably even in 2020.
Having a firewall + not loading trojans gets you 99.9% of the way to security.
The problems are that normally people (A) don't want to deal with the hassle of a firewall, and (B) don't like to be cautious about opening attachments (C) People don't like to be restrained about what they click on, and finally (D) People tend to browse with all sorts of plugins loaded (not to mention Javascript being almost universally loaded).
For those people, yes, they will need to have a lot more handholding by their operating system vendor.
For somebody running a Windows XP system that doesn't have to do any of those (Cash Register, Kiosk, Office Machine) - they are fine, can be locked down, and can probably run Windows XP for the next 20 years without concern.
Most places I know of running WinXP are completely cut off from Internet, using personal media like pendrives is prohibited and the identity of a user is confirmed with physical "PKI card" or something.
They will use their XP's long after the universe dies, I think.
"Most"? Really? Most of the XP machines I know of are being used like any normal desktop machine: email, browsing, office, thumb drives, etc.
I know things are different with industrial machine control, they might be different at my doctor's office, and so forth. But I don't think those special situations add up to "most". Not yet.
And the dentist office is one of them, actually. Anyway, I may be wrong about this right now, but as you note, in a few years, when the support dies and nothing works on XP any longer it will still thrive in environments I describe.