1. Maybe. There's a chance that holes will be found. There aren't enough police for the criminals if ya know what I mean.
2. Like Windows, when you throw commercial software into the mix, you get exploits through those. When people are attacked by drive-by-downloads, it's because of vulnerabilities in extensions such as Quicktime/Flash/Java/.NET Extensions/etc. It could even be through the browser itself.
This.
Bookmarks