Apps are the usual point of entry.
Even the best operating systems can be pwned if any apps have holes in them. In the desktop environment, applications like adobe flash, and java are favorites for criminal exploit kits. In a Windows PC machine, using a limited account with all applications and the OS fully updated; it has been very difficult to find exploits that can take hold in my honey pot lab. However malware, can sometimes run with the same rights as the user and still do damage to their finances or other personal integrity.