That is all true, but the software which accesses external sites had to arrive at your computer from somewhere to start with.
If you install Skype, and it goes to your firewall and opens up the ports it needs, and then it goes to your router and (with UPNP?) opens up the ports in that also, that is not good, but I did say to the other poster
If you just browse major websites (e.g. bbc.co.uk)
If he does all kinds of other stuff too then his machine can be compromised.
And if you then go and block those back doors using a firewall, then Skype will stop working...
At work we run an email server and we used to get about 10k spams per day, not to mention regular dictionary attacks on port 443 (router config port) so I have no illusions about nice people out on the internet. Even after we went to Messagelabs for incoming email filtering we still had spam delivered to our IP via SMTP, and we had to set up the email server to accept emails only from the ML IP ranges to stop that.
But I still maintain that somebody who uses a computer, at home, for pure web browsing on major websites is going to be fine.
That is not the same as doing exactly the same while working at say Cisco, whose IT systems will be subject to hundreds of not thousands of attacks concurrently.
I have configured PCs and laptops for loads of people over the years and every case of a trashed machine I saw was caused by some trojan which fairly obviously came down email, instant messaging (usually a message containing a URL) or from an infected website. In most cases, on machines used by kids, who tend to click on everything that pops up
The worst one I ever had was a PC I built for the child of our postman. As far as I could tell that kid, about 10, only ever used a web browser, but the machine was almost unbootable. When I saw the websites he was clicking on, it was not suprising. He simply clicked on every link he saw. But still no evidence of a highly technical attack.
There are many infected websites etc but I just don't see significant resources going into hacking typical homeowner PCs behind NAT routers. Do you have evidence that the bot nets are set up in that way? I have seen a few zombie PCs (including one belonging to my son; he lives with the ex) but all of them were used in a manner which would have guaranteed instant infection.