IE and Flash are the main problems, accursed Active-X!
IE is still an open wound, as is anything with uses its browser component, and will stay so until Active-X is no longer supported by IE and Windows, and replaced by a properly sand-boxed and secured plug-in framework. Lazy web site owners using Active-X plug-ins must stop being humoured, and actively blocked by all browsers, with a security message to users, it's the only way both will learn!
Flash is also a steaming pile of insecurity, because it is not coded to be secure, does not have a proper security model, and does not provide an non-browser preferences GUI, so it continues to crash browsers and infect OSs! e.g. Flash malware can even get through Google Chrome, given I've seen clean system prompts from Microsoft Security Essentials, while using it on some sites!
I so hope that all sites get rid of Flash video players ASAP, and that Flash is removed from all other sites!
Email is only a problem if you run an insecure email client or are stupid enough to open spam attachments.
It would help loads if all supported Microsoft OS's was fixed to never allowed any external media to auto-run without a prompt and a virus scan, to prevent careless malware distribution from compromised machines.
Windows 7 UAC is a step in the right direction, however the UAC is still far too coarse and annoying, because its repeated prompts become noise, thus blindly clicked or disabled.