While that may be a problem, what IT staffers need to start doing is find ways to show that once security patches for windows XP and IE6 stop rolling in, that the opportunity cost to hold onto those websites and dealing with what users inevitably drag in is far greater then simply hiring a programmer to rework all those "must have" programs into something that's a bit more future proofed.
There is one downside, and that's when you run into a vendor that refuses to use anything newer, claiming that only that really old PoS will do the job they way that it's meant to be. That's the only situation I can see where IE6 will be forced to stay.
Enough with this good enough BS, Windows XP deserves a good burial, it's lived long enough.
I've never been canoeing before, but I imagine there must be just a few simple heuristics you have to remember... Yes, don't fall out, and don't hit rocks.