Note that I'm a smart computer user who keeps everything patched and up to do, as well as knows how to configure a hardware router/firewall.
I see a lot of people claim things like this. The question I ask every one of them, especially if they run XP (an outdated OS missing a number of modern security features, like application sandboxing and ASLR), is whether they run as Administrator or not. 95% still say Yes (beats the approximately 99.9% otherwise, but... still too high). Running as Admin is a *terrible* idea - you might as well be running Windows ME, in terms of security - yet far too many people do so anyhow.
I'll grant you that running as a non-admin on XP or older is a pain - it was that pain which drove me to Linux in the first place. Now I dual-boot Win7 and Linux (Vista and Linux on my older machine) and things have worked out very well. I don't have any continuous monitoring AV running (I keep a copy of ClamAV for on-demand scans), I don't disable UAC or Protected Mode (in fact, I tweak the UAC settings and remove FlashPlayer's exemption regarding Protect Mode). A few UAC or sudo prompts a month is easily worth the extra protection that not running as Admin provides. Security is all about defense in depth, and relying solely on anti-intrusion methods is stupid.
Yes, there's still a lot of harm that can be done with standard user permissions. However, most malware authors, especially for Windows, assume that their code will run as Admin/root, and therefore it would fail on my system anyhow. Furthermore, without Admin, malware can't make itself un-removable. It might send spam or DDOS attempts, but it couldn't edit my firewall settings, hide itself from task manager, install kernel-mode code, or prevent me from deleting it.
The bigger the theory the better.