Properly patched, firewalled, and AV'ed, XP is secure.
Anyway, the concept is basically true. The bigger the presence of a program, the more potential there is for it to be attacked.
It's kinda like playing beer-pong. (Well, kinda...) The more cups you have, the easier it is for the ball to make a score. Conversely, the less cups you have, the harder it is.
If you've got an obscure little group of users on an application, the chances that a virus will be developed for that is small. Also, most people devloping viruses aren't going to waste their time coding for small apps when they can try to knock down bigger fish.
So if you have a big application, which we'll call "Sodwin SPOX" for example, with 90%+ computers running that application, the chances of a new virus being developed for Sodwin-SPOX and getting picked up, are great.
You could have an application built like Fort Nox, and given enough installations, the potential for it to get blasted is still present (and high).
However, the logic of going to older builds of an application to avoid viruses isn't always sound. Older applications tend to be much easier to hack than newer ones, and older applications still suffer from viruses circling from the ages when it was popular. Remember, viruses don't go away, they just get avoided.