Viruses do not depend on vulnerabilities

The traditional 'computer virus' does not depend on exploiting kernel or userspace
vulnerabilities to get more privileges.  It just attaches itself to every executable it can
write (and on Unix, I suppose, it might add itself to shell scripts).  So patching is not a
way to avoid viruses.  Not running untrusted code is a way to avoid them, but can any of us
here honestly claim that we audit all source code before typing 'make install'?  Or verify PGP
signatures on the tarball?  Wouldn't non-technical users download and install the Flash plugin
or Nvidia drivers without a second thought?