As long as users, webmasters and webserver admins do not fully upgrade and patch their software, malcreants can proceed to attack and also find ways to circumvent detection (obfuscation, random algorithms, random domain launching, arp poisoning, nixdomain abuse, DNS abuse etc. etc. etc.. It is a cat and mouse game where the dark forces seem to have the better of the game (see the large number of jobless and underpaid developers going to join the hackers, crackers and cyberbrigands). Recently malcreants used undocumented code functions to be able to go under the radar of av detection or even had them crash. There is a continuous war out there between the malcreants and the protectors, analysts etc. What is not helping particularly is that there is a vast array of people that absolutely without zilch knowledge about how to protect their users (webmasters, hosters that think rather of profit than security) and themselves are allowed unto the Interwebs. Google Safe Browsing finds up 10.000 insecure and malicious websites a day! Now I can think you can formulate an answer to your question yourself....
polonus