How could someone exploit the OS an ATM is running?

Well there's a couple of potential attack vectors which could be relevant.

First up ports. Surprsingly some ATMs do indeed have USB ports and have been attacked via them (more info here as an example and also this CCC presentation on infecting ATMs with malware). However you'd hope that ATMs have decent physical security to help mitigate that class of risk.

Then there's attack over the network. One of the downsides to windows XP is that services like SMB are running and pretty much impossible to disable without making it very hard to manage the system. You could obviously firewall off the ATMs but there still needs to be some network connectivity for management and to transmit transactions.

Now you'd hope that everyone's ATM network is physically separate and not contactable from any other network, but the idea that companies will maintain good air-gapping is not likely to hold 100% of the time in the real world (look at all the SCADA problems that people thought would not happen due to all SCADA systems being Air-gapped!)

So the answer really is that ATM software will be attacked the same ways that other Windows XP systems will be, it may be harder to carry out but not impossible.

Personally I don't think that the support end of Windows XP, is such a great deal for embedded systems like ATMs. I gave a quite detailed answer to this here. It definitely matters for the consumer market, though.

In regards to your question on how these things might get exploited, refer to this blog entry for a few examples from the past. I think you are right in stating that it is hard to come up with schemes that directly attack the ATMs itself. They don't have anything, but the keypad to interact with and I don't think you can reach them directly through the public Internet.

Most of the attacks have at least some sort of social component (e.g. impersonate maintenance staff) or are about skimming cards and such. The latter could even be prevented in most cases by explicitly using chip based systems rather than some sort of magnetic stripe.

The end of support for XP is not that big a concern for ATM security as it is the lack of overall support for the operating system. Right now when an ATM manufacturer runs into an issue with XP they cannot resolve they can call the vendor and get assistance, once XP is end of life Microsoft can simply refuse that help. ATM manufacturers looking to bring in new features may be limited by that lack of support.

That's not to say that there are no security concerns, as Ploutus shows. Ploutus is a malware used by thieves who can slice into an ATM and access a USB port. It started in Mexico but has now been seen in Europe. It exploits an XP vulnerability which will be patched while there is support for the OS. Once that support goes any new vulnerabilities found will remain open, so ATM manufacturers won't get any help.