I fix customers' computers (mostly home users, some v.small businesses) for a living. I personally have never experienced an unsupported version of Windows be attacked and found it to be due to an unpatched Windows vulnerability. The 'WannaCry' ransomware was the only one I'm aware of in recent years that specifically did this.
Windows vulnerabilities have a tendency to be quite random in scope though and tend to involve combinations (ie. if you have X and you do Y then you're vulnerable if Z happens). Take Windows 7 for example. It has the Windows Firewall, so unless a vulnerability is found in the firewall specifically (which I've never heard of but I suppose it must have happened), no random machine on the Internet can try to directly talk to an open TCP/IP port. The other direct route in would be a blatant TCP/IP stack vulnerability (e.g. malformed packet causes stack to burp) but it's been a long while since I've heard of one.
Which leaves the original scenario (X/Y/Z), so something like "if you use Windows file sharing on your computer/local network and you also share a printer, then an attacker can send malformed printer data and the print service crashes, giving them some privileges to run stuff on your computer, maybe not system privileges but things tend to get easier from there as the attacker has a foothold.
IMO a single Windows 7 PC, patched as far as it can be, running a supported web browser and using it for basic apps usage, and the user isn't doing anything stupid, is unlikely to be successfully attacked. The user making a mistake is the biggest risk as always. However, another thing to remember is that apps have been using Internet Explorer as a rendering engine for ages. IE on Win7 is obviously crazily out-of-date, so let's say you ran an app that likes to sometimes show you the front page of that app's website and they rent out advertising space which is then picked up by an attacker (this is/has been common), the attacker then has their foothold on your system (which could easily happen on a supported/patched version of Windows), but then your old system has a vulnerability in that means the attacker can escalate their privs from userville up to system/admin and give you a really bad day.
My favourite version of Windows to date is Windows 7. If I wasn't running my business (which means I'm storing customer contact info and some customer data, and my flash drive that I connect to their PCs is sometimes connected to mine), I might have considered continuing to run Win7 because the risk is only mine, but with my business I've stayed up to date. Admittedly I switched to Linux after Win7 as my primary OS
Still, I've stayed on a supported Linux version.
Btw, I wouldn't regard the gmail website as particularly trustworthy because AFAIK they're still showing remote (and particularly with regard to spammers/scammers, highly untrustworthy) content in e-mails by default and it really should be blocked.
Facebook
Twitter