Quote - There have been cases of published software, by major vendors, having viruses. There are also other attacks (such as buffer-overflow attacks) which do not require the user to initiate the remote execution. Also, the level of lock-down required to avoid all possible methods of insertion of viruses is sufficiently draconian that it is infeasable for most home users.

There is a lot of mythology, urban legends, propaganda and the real story is never published.
You must look at the common and usual causes of the virus infection and not theorical and hypothetical causes.
Always exist the possibility that a purchased CD of some company has been infected by a virus, but how much is the probability to happen????
The probability to happen is so remote that is very more probable to your computer be destroyed by a thunder or fire than by an infected published software purchased in a legal way.
The buffer underflows are very dubvious and this story was never explained. With all my professional experience I am not able to understand how a buffer underflow or overflow, beside causing malfunction to the program, can install a virus. The real story must be very different.
Bugs exist, but bugs are not the cause of virus infection of millions of users.
You must look at the source of millions of infections and not some cause that only happens one in a million.
You vist a site and your computer is infected and of course only if you use IE, it's not a bug of IE, it's a feature of IE.
Microsoft have created all the tools needed for companies and Microsoft itself install any kind of spywares into your computer using IE. You don't get a spyware without your knowledge using Firefox, no matter of all the bugs reported of Firefox. Spyware without your knowledge only happens with IE, it's not a bug, it's a feature!
Of course, if a company has the tools to install a spyware into your computer, any one that hacks a site or create a malicious site is able to install a virus in your computer instead of a spyware.
Spyware and virusware are almost the same!!!
Some people can get his computer infected after clicking on an attachment of a received email "blondejoke.exe", but most of the people get infected by only receiving and email through Outlook, you don't need to click on "blondejoke.exe", Outlook does this task for you without your knowledge!
These are not bugs, these are features. Once some virus attacked millions and more millions using these "features" then appears the typical story, a bug was found and a security patch is released, you must install the patch, but what the patch does is not remove an inexistent bug, the patch only removes a feature and more probably only change how the feature must be used, so this existent virus cannot attack your computer, but a new virus will be able to do it using the new way of using the same feature and the story repeats one more time and another patch and it goes forever......

Tell me, if Microsoft is able to change or update your Windows and Vista will be the master of watching what you are doing and changing your software, why some another site cannot do the same, watch what you are doing and install any spyware, virus, bank account tracking software, trojan. The malefic site only need to cheat your computer making believe that is speaking with Microsoft itself and the gates of Hell are open.
It's not a bug, it's a feature......

Stupidity also evolves!