At the moment I think that it is quite possible for an average non-technical Windows user to become infected with malware without taking any action that might be considered unreasonable.

Sure, a lot of people do a lot of really dumb things, and I'd guess that most people with malware-infested PCs have done something dumb. Anybody who can't be bothered to learn the simple basics of security gets no sympathy from me when things go wrong. However, I don't think it's reasonable to criticize a novice or non-technical user for using a browser that shipped with the operating system. Some of the recent IE exploits seem to be able to function, at least in some circumstances, despite reasonable precautions, and that's all you can really expect of the typical user. You can't expect them to have to install Linux or even Firefox to be safe.

However, while users do dumb things, Microsoft also has to take some of the blame. Huge multi-megabyte downloads from Windows Update make it close to unusable if you're on dial-up (which most people still are) and the OS is full of holes. Internet Explorer has too many exploits that take too long to be fixed, and an operating system that requires administrator-level access for a typical user to do typical tasks is just is fundamentally broken from a security point of view. Linux (or OS X) aren't immune from security holes, but the separation between users and administrators is enforced, and it makes it much, much harder for malware to work.

XP/SP2 helps, and makes it far more secure out of the box. Still, at the moment it does seem too little, too late. I have to take the pessimistic view that things are going to get worse before they get better, and maybe in 12 months is't going to be unreasonable for the technical user to get hit from time to time...