For all the talk about exploits and vulnerabilities, I've yet to see it happen on a consumer PC. I've cleaned up many dozens of infected machines and always without exception the user had installed something. As long as the browser is up to date the biggest most wide open attack vector is the user. Next probably the browser, I use Adblock and Noscript always. Not saying it's impossible, but the risks of running an old unpatched operating system are dramatically overblown and the resistance to updating is Microsoft's own doing by bundling security updates with feature and UI changes, and by requiring a stream of constant reboots.
I've seen it happen on three PCs, but those machines were basically servers (although they were running a consumer version of Windows) that were never updated, either the OS or the apps.
Well that's not really the same thing. I mean if you have a server that is exposed to the outside world then yes you need to keep it up to date, but a non-server OS on a server is a problem in itself.
The problem is forced updates on desktop/laptop machines which not only rudely change features and functionality, annoyingly revert settings that the user deliberately took time to set and occasionally uninstall programs, but also they wake the machine in the middle of the night or hijack it for an hour or more right when you're trying to get some work done.
I've seen a business put on hold for over an hour when the PC they used for all the client invoicing and credit card processing decided to update in the middle of the work day, I've had my work laptop hijacked right at the start of a meetinrbg when I was about to present something. My friend who lives in a studio apartment has complained of his gaming PC waking up in the middle of the night, fans roaring and lights blazing to install updates. The whole thing is just poorly thought out, they have made some improvements but these are all things I would consider the bare minimum that should have shipped in the first place. An operating system as a service is not the way to go, users want to customize and control their OS.