Here is something I’ve been thinking about lately: most (all?) security vendors publish their “top-threats” periodically. Those lists are made up by centralizing numbers reported by their clients. While it is safe to assume that the majority of the enumerated threats are blocked straight-away – before they can execute a single piece of code – there is a certain percentage which is after-the-fact detection (ie. the machine gets infected, a signature comes out later on at which point – if you’re lucky – the security program will block the malware).
Now I have no idea about the relative size of this subset (or if the companies have it, or how they can collect it for that matter), but I find the idea that marketing material put “out there” can backfire amusing :-).
Picture taken from tigger1fic's photostream with permission.