One reason is because before Haswell, there is no INVPCID instruction, therefore pre-Haswell CPUs become slower when the patch is applied. Microsoft also refused to use INVPCID optimizations on older Windows except Windows 10, so even if you are running Coffee Lake with Windows 7/8.1 it's slower. INVPCID is related to the Meltdown patch, not spectre. The patch for Spectre is what slowed Haswell down though.
Basically, these patches highly impact performance on the following architectures:
Meltdown: Nehalem(Partial), Sandy Bridge, Ivy Bridge
Spectre: Nehalem(Partial), Sandy Bridge, Ivy Bridge, Haswell, Broadwell
The one advantage of pre-Skylake processors is that you can simply use Retpoline on linux and you are patched for spectre. However, on skylake processors, since the BTB(predictor thinggy) is too aggressively utilized, you need IBPB as well.
Basically, on windows you are using IBRS, STIBP and IBPB for Spectre which are microcode instructions. They highly impact performance in many scenarios.
In Linux, you either use Retpoline(software based) for Spectre or Retpoline+IBPB for Spectre. The performance impact can be greatly reduced.
Another reason to switch to linux on your older machines.
Also, AFAIK most current silicon still doesn't have built in Meltdown/Spectre mitigations built in yet. Maybe the 9000 series K and X processors have it.
The Spectre patch is installed together with the Meltdown patch, but remains disabled until a microcode update. If your Microcode is updated via a BIOS update(Microcode is embedded in the BIOS), or via Windows update (This microcode exists as mcupdate_genuineintel.dll and is loaded from the OS not at boot), then the Spectre patch becomes activated.
Not to say, even if a malicious javascript is spying your details, you just need to restart your computer before doing important stuff.