agree on that. but be honest, it's not only warez that has trojans attached, many pages/mails have these too.
How may times you just ignored ssl certificate warning and just clicked on a link ? don't say never.
Anybody catching a trojan by opening an email attachment nowadays is either really ignorant or has just used a time-machine from the early 2000's.
Just clicked? Never.
If you just ignore certificate warnings on a page that had a "trusted" certificate before, you're insane (or clueless) and willingly opening yourself up to mitm-attacks.
If it's a page you haven't seen before, you can't trust it and its content anyway.
Catching malware by just surfing the web has become next to impossible. Exploits that let you run arbitrary code on the client are worth big money and aren't used to infect John Doe's Laptop. Once in the wild the bugs are fixed in no time.
But what do I know. I remove 100 search bars and browser hijackers from people's computers on a regular basis. Of course nobody admits that they just download everything, fire it up and hit next like a lunatic during the installation. And every time there was ABSOLUTELY NO WAY that there might have been a "Install ShitSearch CrapBar (TM)" box they could have unticked easily. Shit is installing itself. All the time! Especially when the power cord is unplugged.