I don't think it's so bad. The pwn2own competition is notable primarily for the ridiculous levels of skill required to actually beat modern browser security (note: I do not include the still unsandboxed Firefox in this category).
What's been happening in recent years is that more and more bugs are being found by whitehat hackers first, with the complexity and difficulty of beating them going up radically over time. It used to be that random hackers in their bedrooms could put together browser exploit kits. Nowadays the people being whacked by clicking on "bad links" are mostly people who aren't keeping their software up to date properly or using decent browsers. Remember SQL Slammer and Code Red? It used to be that teenagers could find RCE vulns in Windows. Now it's much harder.
This trend is reflected in the rapidly escalating cost of buying exploits on the black market. There didn't even used to be a market for exploits.
Also look at the escalating difficulty of jailbreaking iPhones and Xboxes. The defenders learn from each successful attack and each time they fall, they get back up stronger than before. And that's despite the fact that there's hardly any money in writing secure software. Many customers will be happy if you simply patch holes that are reported to you, with few people choosing which product to use on the basis of a good security track record.
So it seems like things are getting better and the game is rapidly moving beyond many attackers abilities, the age of the script kiddie is largely coming to an end when it comes to attacking user endpoints. Instead a new game is starting, one where professional teams of government sponsored hackers fight against professional teams of private-sector sponsored defenders. We can claim this isn't progress of a sort, but without the previous hardening efforts, the industry would be tackling both types of attackers at once ...