"would a good virus/malware program for XP keep her safe from attacks w/o Microsoft's updates"
Not as much as a solid education on common attack vectors.
The issue with running XP or any unsupported OS is not whether it is then suddenly insecure, as in all honesty it doesn't magically become insecure overnight, but rather the piece of mind of knowing you have done all you can to secure yourself from threats. I don't know if anyone can give a definite quantifiable answer as to how much it is insecure in comparison, but you can assume the answer to be 'more than 0' and therefore why risk it.
Working in 'the industry' for ten years, I can count on one hand in my entire life how many viruses I have had. And I knew beforehand what I was doing was likely about to cause them and took measures to minimize risk (VMs). If you are vigilant on spotting phishing, falsified emails/attachments, have anti-adware plugins in your browser & keep said browser up to date, and don't download anything obviously illegal, the rest kinda takes care of itself.
I would never advocate not running AV/Firewalls, they cost nothing and cover your back when you make a mistake, but I guess my point is even with all the AV/Malware protection in the world, the primary point of entry is YOUR mistake and a 0 day Cryptolocker attack will decimate your system regardless.
Ultimately about 9 times out of 10, the user clicked something they shouldn't have to allow the malware to run, rather than some inherent O/S flaw.
My primary concern if I were running XP wouldn't be ingress points for the above mentioned reasons. It would be threats going undetected/uncared about by modern AV due to lack of legacy support. I would be far more concerned running XP purely because the thought of a keylogger running unnoticed for days/months gives me far more heebiejeebies than having to restore everything from last nights backups.