Remember Murphy's Law- If something can go wrong, it will.
I've been fortunate in this respect. In several decades of computer use, I can't recall having picked up any malicious programs on my machine (Except Windows, hurr durr :3). Tracking cookies are as bad as it ever got. How was this possible, you might ask? Well, there are several factors:
1) I'm really, really lucky. I don't count on it, so I also have...
2) A firewall up at all times.
3) An Antivirus running ASAP in the boot process. I may turn it off later, after the comp's up and running and I need all the CPU cycles I can get, but I never go without one at startup or during online activity.
4) As many security updates as I can get. Functionality and enhancement updates can wait, security updates cannot.
5) Know thy enemy, know thyself. My machine's been clean partially because I've had to remove so many malicious programs from other computers, be they friends, family, business, or public. I don't just remove them- I like to dissect them to see exactly how they did it in the first place. It's a lot easier to counter an attack when you know how they do it. It's also a lot easier to spot something wrong when you know exactly what you machine does when it's clean. Any difference from the status quo throws up a red flag.
6) Don't be hasty. "Do I really need this?" is always a legitimate question, and the answer is usually "No." The latest software is, by definition, also the least tested, meaning it's likely rife with security holes and other problems. Windows Vista is an excellent recent example of this- the SP1 update contained a ton of items that fall under the "Why didn't they do this from the start?" catagory. It was so bad that a great many people decided to stick it out with XP. Vista's managed to improve quite a bit since then, but that's not much solace for those that got burned because it hadn't received a good real-world test. A pure gaming rig can afford to take that risk, but if I'm using a machine for something important, I prefer tried and tested programs.
7) Keep it simple. The more you have, the more that can go wrong. I can count all the programs in my system tray on one hand, and every one of them is an essential function.
Oddly enough, the weakest point I've seen in system defense, as revealed by my dissections, isn't the OS, the net connection, or a flaw in the security programs- it's the user. It all boils down to an assumption by the malicious coders that people are easily manipulated idiots, and they're right. There's no security system in existance that can protect you from your own ignorance. Luckily, you can fix this! All it takes is a little time and effort