The differences are vulnerability disclosure, vulnerability class, and patch availability. The device is most-vulnerable between the moment common hackers know how to exploit it and when a patch (or mitigation) for that vulnerability is applied.

Older hardware has had longer for vulnerabilities to be found. Some might not mitigate new classes of vulnerabilities. The EOL hardware will not receive patches for any vulnerabilities. So, they're at higher risk of attack.

From there, the attack will be either malicious input to that machine over the network or a file that embeds an attack. Many problems can be mitigated by running secure software, esp for input validation, on that hardware. One might also use them offline or on trusted networks with software that's hand-chosen for them. (That's what I do.)