Most of the time, the spyware and malware comes in via the ad systems. That's how most people are getting the fake spyware/virus scanners on there machines form legit sites. The sites use an ad service to generate money to support their servers, such as OCDO does, but the ad service doesn't always check the ads that have been given to them.
You don't have to click on an ad to get infected form the ad that has been downloaded when the browser downloads it to display on your computer. Usually the malware is executed via exploits with outdated software that is running on your computer. Play with Backtrack, and you'll see what I mean.
If you use ad blocker, you wont see the ads, and will have much less risk from getting the crap that is spread by the ads.
I use Chrome and Firefox with Ad Blocker Plus, Java disabled unless I right click and enable a specific java object, pop up blocker, etc.