I suspect that some parts of KRACK are still applicable to both older Windows and older iOS devices.
The group-key handshake issue (CVE-2017-13080) has a Windows security advisory, but unsupported OSes like Vista and XP are not listed (unsurprisingly). Given that this is a protocol-level issue that has been in place for a very long time, and given that all actively supported versions of Windows are affected, my guess is that XP and Vista are also be affected. (It's also important to note both that paid XP support is still theoretically available, and that the Qualys advisory includes XP Embedded in its detection list for this CVE.)
The impact, from the paper:
By forcing nonce reuse in this manner, the data-confidentiality
protocol can be attacked, e.g., packets can be replayed, decrypted,
and/or forged. The same technique is used to attack the group key,
PeerKey, and fast BSS transition handshake.
The fast BSS issue (CVE-2017-13082), by contrast, does not appear to have an associated Microsoft security bulletin at all that I could find. At first, I tentatively concluded that no Microsoft products are actually subject to this specific CVE - but then I realized that others have been unable to locate any of the other specific CVEs in Microsoft references.
However, CVE-2017-13082 is an AP-side issue that can only be fully remediated by patching the AP. It's possible that if a device is using Vista or XP in Internet Connection Sharing and it is acting as an AP, then it might be subject to the fast BSS issue. [Edit: there is some evidence that ICS does not use 802.11r]
If so, the impact would therefore be the same as for other platforms - a specific kind of spoofing in which replaying frames from the access point to the client is possible. From the paper:
When the 4-way or fast BSS transition handshake is attacked, the
precise impact depends on the data-confidentiality protocol being
used. If CCMP is used, arbitrary packets can be decrypted. In turn,
this can be used to decrypt TCP SYN packets, and hijack TCP
connections. For example, an adversary can inject malicious content
into unencrypted HTTP connections. If TKIP or GCMP is used, an
adversary can both decrypt and inject arbitrary packets.
On the iOS side, since iOS didn't strictly implement the protocol spec and sidestepped most of the client-side issues, and according to this article, the iOS patch primarily helps iOS clients to mitigate unpatched AP-side-specific issues.
Also, since iOS implements 802.11r, it's vulnerable to that subset of the CVEs. This is covered more thoroughly in this answer.