And yes, these attacks happen on totally legitimate sites that are not very discriminating on the ads they run, or whose admins do not properly defend their server against worms/ teh h4x.
XSS attacks are the #1 growing attack technique by far. As long as there is money to be made in infecting computers, techniques will get more advanced as offense is always ahead of defense in terms of Malware/AV software. Simple image and video content is all you need to transfer malware.
I wish it was as easy as saying "Obey these 3 rules and you will not be infected", but that is simply not the case anymore. The people that write this software are honest to God,legitimate, Software Developers. You don't have to like em, but you do have to respect em.
The only way to be 100% certain that you do not end up with malware at the end of the day is not AV software, it's not being cautious, it's not using a mac or linux, it's virtualized environments. And one of these days, even that might not be a panacea.