It's quite common for ATM's to be running Windows XP, so maybe that is why this one is doing it as well. And ATM's and POS machines running XP do still receive security updates.
It's common for ATMs to be built on XP, there's no denying that. But the reason is because they were built on it initially, when it was still okay to do so. To using Windows XP for the base of an ATM (especially one that -- by design -- must be connected to the Internet) in 2014 is more than irresponsible. I can't imagine the kind of cargo cult thinking required to make that decision.
I am pretty sure that manufacturer of ATM used XP as a base and Robocoin did not really have a choice. They could have chosen different ATM company, but it's not like manufactures are fallen over themselves to sell 70 ATM machines to new start up.
Because ATMs are usually not connected to the Internet, so there are minimal attack vectors. Every time you make a transaction the ATM literally rings up the bank, using an old fashioned modem. They could probably have Windows 95 installed on them and they would still work fine.
Not really anymore. This was the case with many of the much older OS/2 based machines but the days of dedicated lines are drawing to a close. Most ATMs I serviced were either directly plugged into a bank's network via ethernet cable or they had a wireless router hidden in the external enclosure and did transactions over a non-dedicated wireless network. These were all XP-based machines.
Updates are issued but they are typically on CD-ROMs from the software vendor, and unless the tech servicing company is going out on a monthly basis the machines are not patched or current. It was not uncommon to tack on 6 different upgrade disks to a maintenance call because that machine hadn't been patched since last year.
They use it because it works for them and it's not worth upgrading and taking on that risk. That said, that in no way excuses using XP for new development.