I would say that regardless of the OS, there are "0day" exploits in the wild and that any patches/updates/hotfixes are reversed engineered. It is not MS specific for that to exist. But as someone pointed out, there may be an appearance that exploits are released after patches since those that discover the holes don't necessarily do "full disclosure" and wait for MS to response to it first.

IMHO, I think this article and statement might lead some of the more general users to think that there is no risk as long as they have patches and not worry about security outside of patching a system. In addition, the statement that it is only legacy software might lead some to think that having a default install of XP or 2003 makes them secure as long as they are patched up the proverbial "wazoo". Personally, I think this sends a misinformed message to users about what they need to be aware of.

Users should be told that no matter when a patch is released there is always a risk. It doesn't need to be a panic statement but a general education statement. Time and again, we know that an educated user is at least somewhat better than an uneducated one when it comes to security.