Bruce Schneier reports on a study of major Internet browser security issues in 2004. The study compared MSIE, Firefox, and Opera, and tracked the number of "known unsafe" days for each browser, defined as days upon which a remotely exploitable security hole had been publicly disclosed but no patch was yet available.
MSIE was 98% unsafe, with only 7 days in 2004 upon which there was NOT a publicly known, unpatched, remotely exploitable security hole.
Opera was 17% unsafe, with 65 unsafe days; the number would have been higher, except that two unpatched vulnerabilities happened to overlap.
Firefox on the Mac was 15% unsafe; of the 56 unsafe days, 30 were a hole that affected only Mac users.
Firefox on Windows was 7% unsafe, with 26 at-risk days.
Says Bruce:
This underestimates the risk, because it doesn't count vulnerabilities known to the bad guys but not publicly disclosed (and it's foolish to think that such things don't exist). So the "98% unsafe" figure for MSIE is generous, and the situation might be even worse.