We are told that it is secure.
When an assembly line with a production deadline and everything downstream of that is standing around waiting for IT to get things up again, it is a bad situation.
As long as there is no connection to the Internet and no one is coming in with USB thumb-drives you are probably secure.
The Windows kernel is known as the "New Technology" or "NT" kernel develeoped in the late 1990s and is the basic kernel for Microsoft's "Windows" operating systems even today. Which is why many older applications will still work. The most vulnerable are the applications which make use of specific drivers written for specific processes. And controlling external hardware is probably the worst of these.
I have had clients that kept old NT machines on line because they worked with the Siemens SCADA architecture (of "STUXNET" fame) well. But it seems inevitable that someone manages to get one of them onto the Internet to check email or something. Often with a thumb drive WiFi system. I've seen them wire up modems to their desk telephone so they can "work from home". All of this, of course, destroys the secure nature of an isolated system.
The best way to overcome this is to have duplicate systems... one with access to the Internet and the other without. Mostly they use KVM switches to share keyboards, mice and monitors but the best way is to put the secure system across the room so they have to get up and walk over there.
The downside to maintaining a backwards-compatible operating system that runs legacy applications is that they will also run legacy malware.