Nah you can run Windows 7 just fine, the attack surface of the OS itself is limited significantly by what's exposed on the network (don't open ports lol) and what's run on the machine (don't run malware lol).
Up to date browser is something pretty independent of the OS.
I work in cybersec and believe this unironically btw.
The reason updates are shilled to businesses is compliance theatre and consultancies/B2B software solutions for patch management, and the reason it's shilled to consumers is so they don't take ownership of their software and simply consume the latest product that big data determined generates the most engagement for advertising or is of value to market researchers ala Win10 ads in start menu and preloaded adware and telemetry.