Re: What's the real danger ?
It all depends on how common YOUR usage is.
The places where you can assume that your users are always going to be non-hostile and that you're holding nothing of import that you have to protect? Sure.
But did you know you can get done for a DPA violation for just letting someone have access to certain data that they weren't required to have as part of their job? And PCI standards pretty much dictate that you have to be on the new OS with official update procedures in place and supported software throughout?
Before you even flinch, you have to consider that - say - every school MUST upgrade. All web businesses MUST upgrade. Most offices MUST upgrade. Anything on the network periphery MUST upgrade whatever you're doing. Anything that handles credit card data in any way - even offline - MUST upgrade. And so on. Before you even start, you're close to the majority of computers in the majority of workplaces. At that point, convenience, homogeneity, simplicity of deployment and just hardware refresh means that you probably shouldn't be on 2003 almost anywhere now.
Sure, I've run an internal Intranet server for years and got several hundred days of uptime from it, because it wasn't critical, held no important information, and wasn't accessible remotely. But the problem today is that the places you can do that are increasingly rare. I converted a school from 2003 to 2012R2 only last year (they'd not bought into the MS annual licensing, so only had VLKs for 2003, so we were putting it off as long as possible until we KNEW we had to upgrade). But it was still technically in support then and even then we KNEW we were leaving it very late. Only a tech-savvy Bursar, a huge injection of cash, and dire warnings of what would happen if we stayed on 2003 much longer prevailed (for a start, our MIS system was dropping support for the same reasons given above, and MIS software runs the school).
Consider even a basic school or office. Your Exchange server is front-line, so that has to go. Your probably have RD or website hosting machines - they have to go. Your AD servers have publicly visible names and (in a small scenario such as that) probably host user files too. It takes a second to guess share names and start poking holes in them, especially if they aren't updated. Sure, you have staff processes in place to discipline those who access data like that but as soon as you go from small business to having employees that might be unhappy, you have to protect them.
So that's all your main internal servers. Now you're doing that, you need to integrate old 2003 servers with your brand new (presumably) 2012R2 setup. The hassle of doing so, especially if you've taken the opportunity to virtualise, means it's probably just easier to wipe them out and put in a 2012R2 VM to take their place. Hell, you can do it on the same hardware if you like - the chances of you being in a place that is at 100% CPU on all their servers is vanishingly small - and it's silly to drag around old systems like that.
Sure, for some reasons, for a mom-and-pop shop without direct finance detail access, you can get away with not keeping up. For the majority of places, someone's going to have your arse for not keeping up to date - whether that be data protection, PCI-DSS, or just your boss. I'd say if your IT FTE (full time equivalent) staffing is much less than 1, you "could" get away without updating. For anything else, you damn well shouldn't be because almost certainly there's more on the line than just your job.
And if you don't know the DPA, PCI-DSS, etc. off by heart but you deal with personal data / card info, the chances are you're going to fall foul of it before long anyway. And if you do, you know why you have to keep up-to-date (hint: the potential for PERSONAL LIABILITY now!). You can't afford to let the data you have get into other's hands, so you can't be sloppy about managing it, so you can't put it on out-dated computers of any flavour.
It doesn't save you automatically but if you can show "reasonable effort" was used to secure the system, and not just "I let it linger on a 11-year-old OS", then chances are you'll be seen as doing your job, and not being irresponsible with people's data.