The explanation for this may lie in the vastly increased number of malware infections floating out there, waiting to affect vulnerable systems.
Continuing to use made-up numbers , if in 2004 there were 10,000,000 viruses, trojans, and whatnot lurking in cyberspace, and in 2014 there were 100,000,000 such pieces of malware, then the 90% protection that MagicAndre cited would, indeed, result in your anecdotally getting about as many reports of infections from your demented friends as before. When dealing with the absolute number of infections, in addition to the increased effectiveness of protective measures we also need to account for the increase in available malware packages.
Sure that could be a random number explanation as good as any other one, but IMHO you are confusing "pieces of malware" with "number of vulnerabilities" and with "number of incidents" (as much as the good MS guys and a lot of other people around confuse vulnerabilities with security).
There may be tens, hundreds or thousands of "pieces of malware" making use of a same, single vulnerability.
There may be tens, hundreds or thousands of "incidents" that could be related to a same, single vulnerability (actually to the corresponding exploit).
On the other hands there may be tens or hundreds (possibly even thousands) of vulnerabilities for which an exploit is not practically doable or for which there is not a viable exploit and tens or hundreds of vulnerabilities for which an exploit exists but that never causes an incident.
More loosely a number of vulnerabilities in itself is a sterile number.
Vulnerabilities are (largely) theoretical, in the sense that very often they need such a complex set of concurrent settings/setups to be not statistically sound.
Let's say that I am writing a malware of some kind, and I discovered a brand new vulnerability.
The vulnerability needs (say) that:
- a user runs Windows XP SP3
- his/her motherboard is an Asrock xyz model
- the machine has more than 4 Gb RAM
- the NIC MAC begins with 00:E0:4C (i.e. an additional RealTek network card is in the system)
and when a specially forged document (let's say an animated GIF) is accessed on a Friday between 00:01 and 00:09 GMT I can run a payload of some kind, ONLY IF the user is using Internet Explorer 7.0 AND he is logged in as Administrator.
It is clear that if the user runs as "normal user" the vulnerability is not anymore a vulnerability, but also if anyone of the other conditions are not met, so that the number and complexity of the other needed conditions makes it so improbable that my evil plan has any actual chance of success that even if all the world users would run as Administrator I will never be able to cause any incident by using that vulnerability.
Yet it would be counted among the 90% of vulnerabilities "fixed" by running as "normal user".