I haven't used updates since I ran Windows 98se. No virus crap, no hacking crap. It's all on how YOU use your computer and the software that protects YOU from yourself.
I have, and apparently it's "outdated" and prong to hacking and virus crap, an XP netbook that's on 24/7. Its purpose is a small local FTP server, phone call annunciator and call blocker and Team Speak server. It has never been "hacked" or gotten a virus.
Again, it's all in how you use your machine. I don't even run an anti-virus. I use Sandboxie as my gate before the fortress and I'll stop there. Just read my system specs. Definition anti-virus is not going to protect you, and updates won't stop future CVEs, ransomware or polymorphic malware. It's all one big pile and this update mandate people put on is a fallacy.
If you have a server with an open port to the world then that's a completely different situation. In fact, patch every and all vulnerabilities no matter how small. I've read that the special mathematical folks at no such agency will pry open a vulnerability no matter how small. Check your server IP at Shodan. I can't tell you how many unpatched servers I've seen out there.
For me personally, the only draw back to not upgrading is games and programs will eventually not work with 7 anymore. And if I want a Coffee Lake CPU and up I need a 300 series MOBO and the MOBO manufacture only has Win 10 MOBO drivers for a 300 series MOBO. So that puts a giant hole in this monopoly. Rich Uncle Penny Bags would be proud. And M$ gets free parking all the time at your analytics expense.
Come the time I do use 10 I'm deploying a hardware-based firewall and blocking ALL of M$'s ASNs. I'm not letting anything M$ in or out of MY machine. If I need M$ I'll use the VPN. The very fact 10 comes with a built-in keylogger should frighten everyone. But seen as how we roam around public with a marketer's wet dream come true -- the smartphone, It's no wonder no one cares.
It's a brave new world out there. At least it better be.