If you believe what you read in the tech press, there are already bot nets out there composed of tens or even hundreds of thousands of hijacked PC's, mostly used for spamming purposes or DDos attacks, a big proportion of which are probably XP machines. And that's just a single bot net! I'm not sure how MUCH worse it's going to get when XP officially stops being supported. Many of those infected XP machines could be overseas, though, so maybe it could get worse here in the US.

An average XP user who practices safe computing/email practices and doesn't have their PC connected directly to the Internet (i.e. is behind a firewall or NAT router) can be reasonably secure from infection for a long time. For these people, visiting an infected website may be their biggest risk, so trying to do as much web surfing without Java and Javascript could improve their security tremendously, although you lose a lot of functionality, but it's a price to pay for more peace of mind.

Actually, online banking is something that should really worry anyone who does commercial banking, even for a small business. Banking laws and policies provide a lot of protection for consumers, but for business accounts, the onus is really on the banking customer. If your business account gets drained because your PC is infected, you're often out of luck and the money is gone. There are stories of small business owners who had to watch helplessly as they watched some hacker take control of their PC and steal money out of their accounts as they watched. Pulling the plug on the computer would not have necessarily helped since the hacker already captured their banking login info anyway. So, if you're a small business owner and still on XP and do online banking, I would HIGHLY suggest that you get something newer.