Microsoft provides information on each released security update that details what it fixes.

I'm unsure of where to get a list of every security patch Microsoft has ever released for all operating systems sorted by date, but if you did, you can see there are ones that were released for XP after 2k/NT4 went EOL. So from there you can see all the (many) specific things they fixed in XP that they didn't in 2k or NT4.

And of course there could be unique unknown vulnerabilities in older operating systems that simply don't exist in newer versions. If all the vulnerabilities were known they wouldn't exist in the first place, of course.

With XP going EOL it will be the same, the fixes that come out for Vista/7/8 after XP's EOL date are things in XP that aren't being fixed (unless you pay Microsoft for extended support).

Now you can't do this with 9x versions of Windows as they are not from the same codebase as the NT versions (which includes NT4, 2k, XP, Vista, 7, and 8). I agree with @nitro2k01 that it's unlikely that current malware authors are targeting these very old systems. It's hard to say how 9x versions of Windows are more vulnerable (browser or OS) as they have little to no security by design.

Also consider that third-party software, such as display drivers, etc. can be a source of vulnerabilities and require security fixes. Any software that requires administrator privileges, a driver, or a service to run could have vulnerabilities that can compromise the entire system, and that may have received fixes that are only available in later operating systems.