RIsk reduced, not removed
True, you don't get as many people doing their online banking via a Server 2003 machine as you do via XP, but the risk is still there, even for a machine not connected (directly) to the internet. The vast majority of these systems will be on a corporate internal network, and therefore indirectly vulnerable to downloaded exploits.
An end-user downloads some malware via one of the usual vectors, but instead of infecting the local machine, the malware scans the network for vulnerable 2003 machines and infects one of those.