“Can businesses stick with Windows XP and still avoid a hacking disaster?”
Yep. Just do production work from a limited user account, never using an admin account for internet access, and never using IE8, but instead use the latest chrome or firefox browser. A setup like that is nearly bulletproof.
Also, avoid Adobe Reader. Use Foxit instead.