I've surfing on my Windows 2000 system while completely exposed to the Internet on my DMZ. No firewalls, no anti-virus, not even a pop-up blocker. The box is exploited immediately.
Many of the default configuration on a fresh Windows 2000 box are just plain ridiculous. For example, the C$, and parts of the root are shared out on earlier versions of Windows 2000. Message services, port 139 and other very easy to exploit applications and services are turned on by default on Windows 2000.
It is no wonder Windows systems are always getting taken down. Just turning off some of those services do quite a bit to close some of the holes on Windows boxes. With broadband getting more popular, the combination of unprotected systems and the viral marketing of malicious code are creating a storm on the Internet. An unprotected system is rendered completely useless in a matter of weeks (days and hours if you surf porn or serial sites).
Here are some of the vulnerabilities on Windows systems at SANS.org.
In all honesty, if you have a good firewall, virus protection, maybe a pop-up stopper and a good security configuration you could have a Windows 98 machine and NEVER get a virus.