Mobile phones (OS) don't have any form of autorun
So?
You cannot run .exe/.cmd/.com/.lnk attachment from e-mail
Correct. On the iPhone, you just had to visit a *website*, ffs.
Seriously, this statement is beyond short-sighted. It's one zero-day vulnerability from being completely false.
A lot of users still ... don't ever install a single extra app
Again, who cares? All you need is a hole in one of the stock apps, and voila, users are hosed. Moreover, given how slow mobile phone operators are in updating the OSes on their network (the Android situation being the most obvious), a vulnerability like that could be a) near universal, and b) very slow to close.
Unless Apple/Google becomes careless it's hard to believe that malware authors can (frequently) penetrate their app stores
See above. This point is, well, pointless.
There is still some variety: iPhoneOS/Android/RIM/W7 so malware writers can hardly target all platforms at once - so outbreaks are hardly possible
Please... you need only target one of those platforms to hit millions and millions of people. That's by far lucrative enough to make it worthwhile.
Frankly, I think the only reason you haven't seen this yet is because most malware is directed at turning a machine into a zombie, something for which a mobile device isn't that useful. But the minute someone can, for example, break an iOS device or Android device and start snarfing passwords, it'll become a far more interesting target.