This report from SANS was an eye-opener for me: http://www.sans.org/top-cyber-security-risks.

Priority One: Client-side software that remains unpatched.
Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash, and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access…

Priority Two: Internet-facing web sites that are vulnerable.
Attacks against web applications constitute more than 60% of the total attack attempts observed on the Internet. These vulnerabilities are being exploited widely to convert trusted web sites into malicious websites serving content that contains client-side exploits….