Yes, it's a hassle to update. Each installation, and each security update has to be evaluated. So what exactly is your plan? You can't update all those systems overnight, and even if you made some dedicated push to get rid of Windows XP, by the time you were done, in say, three years, somebody would say "Why does the government still use Windows 7?" So you'd start a push to remove Windows 7, and by the time you were done, in another three years, somebody would say "Why does the government still use Windows 8?" So you'd start a push to remove Windows 8, and by the time you were done, in another three years, somebody would say "Why is the government still using build 1507 of Windows 10?"
The government's computers, even if architecturally similar, are not just run-of-the-mill desktop or laptop computers. If one controls, say, the missile control system on a destroyer, you have to pull that ship off duty for retrofitting, possibly port or rewrite the programs it uses to a newer system, update the hardware it uses if too old to run the newer operating system, and then test that system before a full redeployment. And your spending the millions of dollars it would take to do this because the operating system has vulnerabilities that can't be exploited anyway, because the computers are not connected to a publicly accessible network?