First, all operating systems and applications have holes. Humans program them, humans aren't perfect, and the code humans write isn't perfect. The idea that any operating system, be it Mac OS X, Vista, Linux, Solaris, HP-UX, z/OS, is perfectly secure is a fantasy. So let's dispense with the idea that any operating system is going to offer some magical protection against attacks.
When it comes to malicious Web sites attacking an unpatched hole, about all you can do is try to mitigate the damage an attack can do against that hole until a patch is released. For example, the recent QuickTime Java hole could be defended against by disabling Java in your browser.
If you wanted to be safer, you also could disable JavaScript, but that tends to break the Internet, at least from your point of view. This is one case where advice like "Don't go to bad Web sites," while succinct, isn't of any great use. For one, you can't tell something is a "bad" Web site until you've loaded it, and it's a bit late then.
Secondly, even if it's a known good site, if they've been cracked, then they could be doing damage and not realize it. Again, all you can really do in cases like this is configure your system to be safer during the vulnerable period, and if you run as an admin, consider setting up a non-admin account. This way, the possible damage is reduced.