"if one of your regular, trusted web sites ... gets compromised"
It doesn't even have to be one of your regular trusted web sites that gets hacked itself; if one of them uses an external ad server (or something functionally equivalent), and that gets compromised, that's sufficient.
Unlikely? Maybe, maybe not. It has already happened here once at The Register, though right now I can't find a link... might not have been an external adserver, might have been an internal load balancer, same basic principle applies.
And then there was the perfectly respectable TV aerial repair outfit I needed to call one New Year following some windy weather. Their website had been got at over the holiday.
Anybody thinking these kind of problems are restricted to dodgy websites and that they don't use them therefore they're safe needs to reconsider.