I doubt that they even evaluated
whether autorun/autoplay would create a security vulnerability. Malware introduced from a CD or DVD disc is probably rather uncommon. In contrast, malware introduced from a USB storage device is a very significant risk.
The Microsoft techs were just thinking that it would be much more convenient to use the "CD player" to launch games or play music, install software, etc. if the action began when the user simply inserted the CD and closed the tray (ditto for DVDs). Of course, it was meant to be used to install software, whether it would be perverted to install malware would be difficult to ascertain at the time. It is worth remembering that the risks 8 years ago are not what they are today.
USB 1.0 preceded Windows XP by at least a couple of years, but the original Windows XP USB drivers were for I/O peripherals (mouse, keyboard, printers) and did not envision storage devices. USB 2.0 became standard (at least with regard to implementation) about a year after Windows XP was released, which is when I bought this computer. FWIW, the USB 2.0 drivers on my computer are from NVidia (the mainboard has the nVidia nForce2 chipset) and they do support storage devices. IIRC, that was also implemented in Windows XP Service Pack 2, or maybe earlier in SP 1A.
Before USB, I knew many people who had serial-port HDDs, and not only SCSI, but "ZIP drives" which had capacities of about 250 MB (yes, MB) which was respectable at the time.
