An issue to note is that the patches (a) will not cover XP components that aren't in the embedded OS,
LOL it is my understanding that the embedded OS allowed you to picked the components up to a full xp install so the security offer should need to be for a full xp system.
But is does not matter in any case as no one is forcing you or anyone else to take the patches and for those like myself who are going to be running XP systems patches or no patches for many years into the future there seems little downside.
Next my security is anything but false as I am running up to date browsers in a sandbox under reduce rights cover by an up to date anti virus and and a program that only allowed the programs to run that I had white listed.
OS patches even before the cut off date of XP support is only a small percent of my total security set-up.