the best virus protection?

That wasn't a virus; it was the MacDefender trojan, or a variant of it, and you can find many discussions of it on this site. You got it because you were tricked into installing it of your own free will, not because it spreads without user intervention, as a true virus does.

Malware today most likely to come through the browser either through a trojan or a vulnerability in a web browser plug-in.

The lastest versions of Safari (finally) got a sandbox feature and more security, bringing it up to the level of other web browsers.

However Safari still runs all plug-ins by default as you surf the web. There is only one Safari extension that turns off only one potentially vulnerable plug-in and that's ClickToFlash.

All the other plug-ins like Java, Javascript, Silverlight etc are all running unless it's turned off in Safari preferences, making it rather a chore to go back and forth to turn them on/off or remove them if you can.

So as one is surfing the web, they are playing Russian Roulette basically, all it takes is one bad site, or hijacked sites.

This MacDefender trojan that appeared depended upon JavaScript running in the browser to pop up a fake window that looked like something from OS X, which even if the user clicked on to exit, caused a download to occur (Safari has no warning, it just downloads anything) and if the Open Safe File is enabled (default) the malware can pop up a window on the screen like some downloads do to agree to terms or other user notification.

Firefox with NoScript Add-on (turns off all scripts with a enable button if needed) and the nature of Firefox itself that asks the user before a download occurs, tends to mitigate drive by downloads trojans and plug-in exploits.

It was overwhelming amount of Safari using Mac users that were hit with MacDefender, only a few were Firefox users and none were NoScript Firefox users because I've tried. 🙂

Why doesn't Safari warn that a download is about to occur? A very simple proceedure to confirm with the human that the action they initiated was actually their intention, is beyond me.

Sure a user can click download anyway if they are duped, but it dramatically reduces the amount of machines being a target. So much that malware writers likely would go elsewhere for greener fields, they have to work on volume in the short window of opportunity they have.

There is a warning when one closes a file that they didn't save. But there is no warning that a download is about to occur that can encrypt all their data and demand a ransom?

Apple is still stupid in that regard in my opinion. 🙂