I work with a lot of banks and almost ALL of the ATM's are still on XP.
Support for XP Embedded software doesn’t run out till 2016.
Many moons ago, I was the Infrastructure Architect for a large multinational bank that ran IBM's OS/2 on their ATM devices. (Many banks did at that time.) I designed the infrastructure and specified the requirements to move from OS/2 which IBM was de-supporting, to Windows XP.
At that time, the concern with Windows XP which was still relatively new, was with device driver compatability for all the components in the ATM devices, and the security of XP itself, so we didn't have ATM's "spitting out $20's" on the streets.
It took the better part of 18 months for the major ATM vendors to get the device drivers for the various mechanical components, keypads, and display devices working properly.
At the same time, Banks also had to meet the requirements of the Americans with Disabilities act for those who were blind/sight impaired or hard of hearing/deaf. None of which was a minor undertaking.
Since I was also responsible for the security architecture of the OS, ATM devices and network configuration, all our ATM's came into the bank's data centers via private connections (no internet based connections) on our Metropolitan and MAN networks, inside the firewall, segmented on their own network subnet.
This made it possible to prevent internet access to the ATM's, and prevent any ATM that may have gotten physically compromised from going anywhere else on our network.
We were also able to monitor the uptime and availability of the devices, cash on hand in the devices and their physical security (if someone tried breaking into the device.)
If someone attempted to physically break into our atm's, we had a kill-switch in the device so that if someone managed to open it without entering the maintenance security code on the device, the ATM would disable all internal components that distributed money through the money changer, fire off an alert to our NOC that the device was in process of being compromised, and send an alert to the local PD.
We did have to occasions where some nutjobs literally STOLE the entire ATM devices and tried opening them to get the cash out of them, both attempts failed. We found one ATM in a farmfield in Plainfield, IL when the farmer called us to say he found it, another was literally ripped out of an ATM drive-up island in the middle of one of the bank's parking lot. I can pretty much assure you or anyone else that most banks did as we did to secure their atm's in a similar fashion. As long as they're not exposed to the Internet, they'll remain secure.