@ Nes Anderson,
I've gone for almost 5 years now without getting an infection
Once upon a time that would have been a statment that would have indicated that you were failing to detect the malware.
But times have changed as you have noted,
... but still... what are the viable attack vectors these days? In the 90s I was fighting off a virus every week. These days I rarely download anything that a scanner complains about.
The simple answer is "low hanging fruit", but it's a little more complicated than that. Basicaly what has happened is two fold, the first is that people are in general more wary than they used to be, the second is that software security has and still is improving. Attack vectors have moved up the software stack as first the OS and now Application security is improving, and many attacks these days go fundementaly for the major weak link the user who sits at the top of the stack. For whilst users are more savey these days in general and use technical security measures there are still a lot of people out there who are basicaly gullible in one way or another.
Now I'm not saying that those who do get hit are to blaim for the attacks succeeding althoug a few are, but in the main there is an edge effect on peoples knowledge thus nearly all of us can be attacked successfully if the attack comes at us from what is our knowledge blind spot.
The question is then do we try and improve peoples knowledge or do we try other methods?
Well to be homest, I have trouble keeping up with all the latest twists and turns as I suspect many of this blogs readers do and I realise that there is just no way I can assimilate all the required knowledge in a timely manner so why on earth should I expect others to do so?
We have got to the point now where even very paranoid solutions (air gaps) are being defeated by clever and determined attackers. We have also seen that "supply chain poisoning" can not realisticaly be avoided even for the proffessionaly paranoid such as the Military.
So you are going to get hit and owned if an attacker is determined enough irrespective of who you are.
So the answer is in reality limit your vulnerability (attack surface) and desireability (minimise loss potential) to attack and cross your fingers and hope you don't have the misfortune to become an unwitting cut out.
In essence the oldish advise about you need to get "street wise" before you become "road kill" applies. But the only way you can guaranty not becoming road kill is by never stepping on the streets which is in most cases niether practical or possible because you cannot live a life without risk. The same reasoning applies today with the Internet only it's harder because it's intangible "information" not tangible "physical" objects you can see and touch.
For instance it's moderatly easy to stop a physical object being stolen by all but the most determind theif, and you are usually quickly aware of when the physical object has gone missing. This does not apply to information where accessing it is copying it which is in effect identical to stealing it only you get to keep the original. And this is a hard problem to deal with because usually information only has value if it is used therefor in effect (potentialy) stolen because you generaly don't have sufficient control over the person who accesses the information to limit them to legitimate use only (if you can even define "legitimate use" in the first place).