By unification Bill, they are taking a single codebase meaning Windows 10, and using in multiple versions just as Google using their Android and working that into Chrome OS. It's no different than N3V taking what the have now with T:ANE and using that for future versions of Trainz.
The reason for this is to make development and patching easier. If they have multiple disparate versions, it's difficult to patch and update and to develop for since different versions of an OS, that are not related but similar, require software developers to write multiple versions of programs such as a 32-bit version of a program and a 64-bit version, for example, which increases development costs because the code cannot be always shared. In non-software development, it's the same as Ford using the same underlying chassis for the Focus as they do the Fiesta or similar model.
Regarding your list, Windows 9x was not at all related to Windows XP, and is closer aligned with Windows 3.1 and MSDOS. It's still more or less a shell running on top of MSDOS or IBM DOS.
Windows NT, 2000, XP, Windows 7, 8.x, and Windows 10, however, have the same origins. The same with the server versions. Windows NT server 3.51 was the original and Windows NT 4.0 became the forward base. The Server versions share the underlying code, and in some cases are the code that the workstation (personal computer) versions are based upon. Again it makes patching easier for the developers and for Microsoft alike.
In general I find your thread here to be we have to bash Microsoft, but it's not Microsoft's fault. If the organizations had upgraded, and patched when patches were and are available, with a caveat here which I will discuss below, then much of this would not of happened. Just because the hack was aimed at old crappy Windows XP computers, doesn't mean there aren't other hacks available for other operating systems including Apple OSx and Linux versions. The reason they went for the Microsoft Windows is because it's used most commonly.
If you are truly interested in OS vulnerabilities, you might want to look at the CERT website here:
https://www.us-cert.gov/
They track the vulnerabilities and release bulletins to those that subscribe to them. If you look, you will find plenty here for Apple, Oracle Java, Google, and various other operating systems such as the Linux flavors.
Here's one list of bulletins, picked randomly from the list of available ones:
https://www.us-cert.gov/ncas/bulletins/SB16-088
Now remember, as I've said above, even though these vulnerabilities are known it's still up to individual organizations to install any patches should they be available from their vendors. In the IT world when a patch is available, the update may not be installed immediately if the software is running in a critical environment. The reason is the patch has to be verified on multiple systems, usually in a test environment first, then released to the user population. This may mean an organization is behind the patching curve. In some cases not all patches are installed, due to conflicts with proprietary software, or no need. But staying diligent on all fronts including protecting the network and educating the users helps mitigate situations such as this.
IT management is more than just supplying software and patches along with computer hardware for users. It takes a c-level management that is will to invest in making their organization work well and a support the IT infrastructure. If they properly staff their IT departments, allow for upgrades and patches, and work with training the users, a lot of this can be avoided By multiple attack points, meaning multiple users, there's only so much the IT support team can do to mitigate a situation. All the best firewalls and servers can only do so much, so having everyone on board, including an educated workforce, then there's less of a chance of a situation to occur.
Having everything, including the OS in the cloud is no panacea either. Sure it reduces the number of individual attack points, but it's like putting all the eggs in one basket. If the cloud-based computer system is hacked and taken offline, this can impact more than just a single organization, or a small number of users. We have seen this ourselves with our DRM server or DLS going offline, and what we have is small peanuts. Imagine if Google's data servers go offline. Have you wondered how many users are impacted? Sure there are image backups, which can restore this situation, but it's a matter of the server issue being discovered first and rectified. In some cases it maybe worthless to restore data immediately, because the restored data can be attacked anyway. The downtime can run into billions of dollars, pounds, and Euros, lost as organizations are stuck without their data.
http://mashable.com/2015/10/09/google-docs-sheets-down/#RSQIcnNVeZqy
What about when there was a glitch with Amazon's servers more recently because someone entered in a wrong code. Oops! All the servers went offline due to a mixed up key sequence.
These are only a couple of incidents, and both were down due to technical difficulties and not a hack. What would happen if this was a hack, a denial of service attack (DOS)? The problem could be much worse as was the case with Estonia back in 2005 when their complete internet service was brought down by someone attacking their routers.