Unpatched XP? So what? What's the threat model?
Right. Patched or unpatched does not make much difference. The important thing is that they run a full blown OS, specifically Windows XP, which means 45 million lines of proprietary unauditable code (trade secret). And that's not counting all the other software the manufacturer added on top of it to turn it into a voting computer.
So an attacker has a wealth of juicy targets: the display driver, touchscreen controller, hundreds of drivers, etc. Anything he changes will be a straw in the middle of a haystack... even more so if he works for the manufacturer or is part of the team that defines the reference software platform.
Plus none of that matters for the voter: he will never be allowed to run a debugger or hook up a hardware monitor on election day to verify that the voting machine has not been tampered with, and with good reason since that would allow him to tamper with it. So even a knowledgeable voter will never be able to verify that the voting computer used on election day has not been hacked, which is totally unlike the situation for regular paper ballots boxes.