"Bugbear" is more than just a virus, which is especially disturbing. The malicious code has the capacity to collect information about your computer, including a log of keystrokes, and email all that off to a predetermined email address. The virus also makes sure it sends itself to any email address it can find on your computer, just to be social.
Expecting vulnerability-free software, especially from Microsoft, really isn't realistic. We can, however, expect patches to address discovered vulnerabilities; we just can't expect users to apply them. It's situations like this that make me wonder whether something like Windows Update should default to automatically download and install security patches without user input. I'd even settle for a simple first-boot dialog box asking users for permission to download and install security fixes automatically, but I suspect such a scheme would have many vocal opponents.
The best solution would be secure software, of course, but what about something more realistic? How do we protect users from themselves?