One major reason (among many) so many machines are corrupted is the use of Internet Explorer with 'active scripting' enabled. [This is that setting: IE> Tools> Internet Options> Advanced> Security: Allow active content to run files on my computer]
This setting allows a webpage to install software to your system, which may or may not be malicious; you have no way of knowing. In effect, it's an "Open Door" policy.
Another serious oversight is surfing while logged in on an 'Administrative' account.
One of the best ways to avoid malware being installed from the internet is to use Firefox with 'NoScript' add-on as your primary browser, and fall back on IE as a last resort, to view or interact with a sub-standard webpage. Switch back to FF when finished.
Firefox download: http://www.mozilla.com/en-US/firefox/
NoScript add-on: https://addons.mozilla.org/en-US/firefox/search?q=Noscript&cat=all
Using peer-2-peer file share sites is also a prime source.
Intentional downloads from peer-2-peer sites; clicking links from known badware sources (social networking); allowing 'Active X' controls; and so on, will ultimately defeat any security barriers.
Using a security 'suite' with all-in-one features is not the blanket coverage they purport; nor is it a free ticket for will-nilly behavior.
All Anti-virus app's rely on known signatures (fingerprints) of malware as their core defense.
Occasionally an app. ("Blink" for instance) will have added items (like buffer stack overflow protection) to defeat known methods (vectors) of attacks, but always remember the fluid nature of the Internet, and the cleverness of the crafters of malware, mean you must at all times know what is the current, real time threats & counter-measures.
Combined real-time barriers, system configurations and user habits are your best first line of defense.