Considering a lot of intrusions happen via the web browser / plugins installed in the web browser (flash/java come to mind right off the bat), I don't think XP being retired has anything to do with future botnet sizes.
Even if everything was up to date, you still can't make sure that you don't get infected. The common hobby for kids these days: finding and writing exploits
Exactly how is the OS supposed to stop an exploited browser from doing anything malicious? Even if you have strict access controls like SELinux, that won't stop a browser from participating in a DDOS attack and changing settings like cache or homepage to get reinfected next session. And if you don't have strict access controls, like 99% of desktops, the exploited browser can freely install all the user-mode malware it wants. So XP vs. not-XP is completely meaningless at this stage.
