The MacDefender malware actually uses Javascipt to pop up a window in order to fool users into clicking and downloading.
Java just got a update for OS X (Apple handles Java for OS X) and has had numerous security issues with bad websites.
Flash is the same catagory as Java, a real POS.
You can check the status of your plug-ins here:
https://www.mozilla.com/en-US/plugincheck/
You can turn off Java in Safari preferences and likely never have a need to use it, if you see the coffee cup symbol on a web page where something should be running and that would be Java. You could turn that back on temporarily.
Flash is used quite a bit more than Java, so you can install a Click2Flash extension for Safari and this way Flash is off by default unless you click on a Flash element to run it.
Javascript is used quite often on many webpages, out of hundreds of web sites I visit a day, perhaps 5-8 of them I need to turn on Javascipt for or else it won't work. (some I don't need it as i can read it just fine)
For Safari going to the Preferences ten times a day to turn Javascript on/off isn't a option.
So what I do is use the Firefox web browser and a Add-on called NoScript.
NoScript is a web cop, basically not allowing websites to pull trickery on you as you surf. It also turns off ALL scripts (Java, Javascript, Flash, Silverlight etc) by default.
If you need the scripts to run, you click a Toolbar button and they are enabled for that site only for that time only.
So this way one reduces their exposure window to malicious or compromised sites waiting for the next driveby victim with all their scripts running.
Other add-ons are Ad Block Plus, Ghostery (web bugs), BetterPrivacy (deletes hidden Flash cookies), HTTPS Everywhere (asks websites for a secure connection), Certificate Patrol (helps you keep a eye out for stolen certificates), FlagFox (IP of site and background check) and WOT (Web of Trust)