You must not remember some of the more memorable worms like blaster. It was a complete nightmare and would own machines that weren't behind a firewall in minutes. Luckily long since patched, but it's only a matter of time for others.
However, I believe these OS-es come with certain presets that will not expose them to the wild-internet immediately. I assume (yes - assume) that MS has enabled the firewalls per default on these images, so unless you use them to browse to certain "entertainment sites" you should be quite ok...
Edit: ok, ran a lab-test (so not the real thing): Windows XP with IE6 on one VM, Kali with Armitage on the other. A "Hail Mary" of 22 exploits did not result in any session on the windows machine...
