Couple of years ago a significant news site here in .no had their ad network hacked. The result was that if you were browsing that site that morning, and was a customer of the largest bank in .no, you'd silently got served some software which would do a MITM attack against the online account page of said bank, redirecting any payments you did without your knowledge.
All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...
I use firefox which I've locked down pretty hard. No site gets to run active content of any kind by default. No java, not even javascript. That and all the ad-blocking really limits likelihood of my getting infected from just an initial click, but even that isn't foolproof. IE once managed to let attackers get you just by viewing an image (CVE-2005-2308)
0-days are not limited to javascript - the next one might well be in the canvas/image/svg renderer. When someone has targeted you with a 0-day and you load the site they compromised website, all bets are off.
This attitude is exactly what the spear-fisher is hoping for! Mac people, especially, think their OS is "secure by design" (as Apple says it is) and there's no way they can be attacked.
Take another look at the article! This took advantage of a Firefox 0day that really could run software outside the brower's sandbox just by clicking on a link.
If that link has browser 0day, it can. If that link takes you to a page you expect to demand login creds (google groups, youtube, google docs), it can.
All you had to do was to visit that site with Java installed on that computer, which most users of said bank did because their 2-factor login relied on Java...
So yeah, don't click on random links.