dan1980 - "Take a restaurant found to be serving food that makes their customers ill. If it's in the handling and storing and preparation of the food then the case is clear - it's the restaurant's fault. But what if the cause was bad produce from the supplier?"
The analogy is a good one but there is a bit of a flaw when think about who the customer is in each situation.
Putting aside criminal responsibilities for a moment, the responsibility a restaurant has is between itself and those it enters into a contract with (the customers and suppliers), the supplier is merely a subcontractor in the contract to provide its customers with a meal. Therefore, if you have been given dodgy food in a restaurant, it is the restaurant that should reimburse you. The restaurant might then attempt to get those damages back from its supplier (who may then go to its supplier, etc) but that isn't the concern of the customer. The customer doesn't have any contract with the food supplier.
So yes, the restaurant should have standards about the quality of the food supplied as they are expected to deliver a standard of quality to their customers. Basic supply chain and subcontracting.
However, the problem with this is what is the contract that is being entered into? You're not paying for the website like you are a meal.
I'm sure the websites would claim that they are not delivering adverts to their readers, they are delivering news stories to the readers and eyeballs to *their* customers (advertisers). This would be like the restaurant giving you food free of charge but in return they just simply play the radio (and the radio pays them for this) and if your ears are damaged by the adverts on the radio, well that's not their responsibility its the radio station's.
I think a better lever to encourage websites to do their job properly is criminal responsibility - do websites have a legal responsibility to ensure that the Computer Misuse Act (or non-UK equivalent) is not violated by content delivered on their site? I would argue that they do and that malvertising is very much a violation of 'anti-hacking' laws. If torrent sites are considered responsible to not link to torrents that violate copyright then news websites are even more responsible for adverts that their pages direct the reader's browser to download. If Cyber is the big national security threat then why aren't police forces prosecuting websites that assist in unlawful computer hacking. A few prosecutions and I can guarantee any major website will be vetting advert agencies very closely.