re: Sounds bad...
"Usually seem to be coming from otherwise legitimate sites as well. I think the blackhats have gotten smarter about how they poison things. I think they are targeting ad servers and poisoning some small percentage of the ads to redirect to sites that use automated installers to infect the systems"
That's exactly what they're doing, and we're talking big-name sites. One of my clients has had a few of their users repeatedly infected, sometimes on consecutive days after I've cleaned the systems (yes, I'm 99% sure that the machines were fully clean [only 99% sure because you can never be 100% certain]). What's the commonality? foxnews.com. Yes, I know, it's an oxymoron and we should avoid Fox, but they're not the only ones. I've seen indirect infections from Fox domains (foxnews.com, foxsports,com, etc), cnn.com, mlb.com, nba.com, nfl.com, and nhl.com. In every case, it's coming indirectly from their advertisers. Because they use so many advertisers, it's impossible to tell which one (by viewing a DansGuardian access log).
Specifically sports-related (and loaded indirectly via advertisers on sports-related sites), there are a few supposed statistics domains that redirect you to malware sites. I've seen this on ab-outstat_dot_net, evenmorestats_dot_com, officialstat_dot_com, onlinepromostats_dot_com, onlinestatsmanager_dot_dom, statisticsmanager_dot_com, and statscontroller_dot_net. All of those were redirects from advertisers.
This is why I recommend to all of my clients that they use Firefox with Adblock Plus at the very minimum, preferably with Flashblock and NoScript (though many users either can't figure out how to use those two or don't want to learn how because it makes browsing somewhat inconvenient). I also highly recommend they use a hardware firewall acting as a transparent proxy server, and use DansGuardian to filter web traffic. One of the things I've done is set up DG rules to block regexp URLs to try to cut down on possible infections -- block domains with "antivirus" or "antispyware" followed by a four-digit number (which will catch things like antivirus2009_dot_com), block files with "setup" followed by numbers only, etc. It certainly won't block everything, but it sure has cut down on the service calls due to infections. Of course, I could use the money from those service calls, but I'd rather my clients be protected and happy.
Nowadays it is no longer safe to browse the Internet. You are not guaranteed to remain free from infection simply by avoiding "dodgy" sites. At the rate the black hats are cracking websites and advertisers, no website can be considered completely safe.