>If you leave insecure connections open for XP clients, you are leaving insecure connections open for anyone as it's likely trivial for the client to say "Yeah, i'm using XP honest, gimme the insecure shit so I can hack away"
If you already own the client box, why are you bothering to listen in to their iTunes connection? Surely you can do something far more productive like mine for bitcoin or scan the hard drive for credit cards or encrypt pictures of their mistress and hold the decryption key for ransom or similar?
And a certificate expiring doesn't make the protocol stop working, but sure there would need to be a bit of extra code for XP in iTunes to allow the expired cert. Still doable.
Again, in this case it's largely a customer service question. And it seems Apple decided that it was easier just to cut off all their paying XP users than spend a modest amount of resources to accommodate them.