Security and Mac OS X is never an easy topic to write about. There's so much emotion, advocacy, and arguing going on that getting to the heart of the matter can sometimes seem impossible. However, once you sort past those issues, the state of security on Mac OS X isn't terribly complicated, nor bad at all. It's not perfect, but it's not the final world in Quake, with pitfalls and monsters behind every corner.
Even with the recent QuickTime Java vulnerability discovered by Dino Dai Zovi at the CanSecWest contest, the Mac isn't suddenly a kitten in a shark tank, waiting to be devoured. There always have been, and always shall be, vulnerabilities in this, or any other operating system and platform. It's a fact of life, and one that Mac users in particular, should approach with more of a sense of equanimity and awareness.
When we're talking about the state of security on Mac OS X, it's useful to use the kinds of threats we hear about or have heard about in the past as a guide to help us focus our discussion. I'll do the same here, moving from the more "human-based" issues to the more "human-excluded" issues. I'm also going to, in the interests of clarity and space, stay out of larger security issues like firewalls, NAC, etc. This article is focusing on Mac OS X and the Mac user as much as possible.
Mac users are exactly as vulnerable to phishing and social engineering attacks as any other platform. If you voluntarily give out personal data, passwords, user ids, etc., there's nothing an operating system can do to protect you from the results of those actions. Browsers and e-mail clients are starting to try to incorporate various antiphishing measures, but at the end of the day, this isn't something that can be solved via a purely technical solution. If you give out the keys to the kingdom, as it were, you will have some rather severe barbarian problems.