1. The cost of replacing the hardware – Which doesn't meet the minimum specification for running a newer operating system (OS).
2. Legacy systems – Will the software used on a daily basis actually run on a newer OS, is it still supported, does it have to be upgraded to a newer version that supports the new OS. If it’s no longer supported beyond XP, what then.
3. Staff Training – Imagine having to retrain everyone in an underfunded, understaffed, overstretched, not particularly IT literate, organisation to familiarise them with a new OS and the new software that sits on it.
A few years ago I was working for an Australian company developing DOS-based computer systems for NHS trusts using a customised PC programming language developed by an American company based on COBOL (a mainframe programming langugage dating back to the 1960's). The American firm stopped supporting the programming language because we were the only company using it, so we bought the rights to the programming language and built an IE interface on top of it to give our NHS customers a shiny new ‘Windows interface’. The parent company decided to pull out of the UK market and sold the UK business to a management buy-out. It was taken over twice in 18 months by competitors who got rid of most the staff supporting the legacy systems they inherited. The new owner was involved in a tax avoidance scandal and eventually pulled out of the software market. So good luck to anyone in the NHS who has the misfortune to still be using the theatre booking system I wrote in getting it to work with anything beyond XP.
One work around for legacy systems that need XP is run them on an XP server firewalled from the rest of the network and outside world to prevent infection, not particularly helpful if you need to share data and not foolproof either.
I once worked for a bank that took this approach to IT security. They assumed when dealing with viruses, malware, etc. that so long as their firewalls were up to date and the entry points to their networks were secure nothing behind them needed patching as nothing infected could reach them. Worked beautifully till someone who’d been working from home plugged their unpatched device into the network and a particularly aggressive ‘worm’ ate its way through the network.
Given that a well resourced organisation like a bank can't get the basics right, I seriously doubt this problem is going to go away anytime soon, as the NHS doesn’t have the necessary resources, skills or political will to deal with it.