Pretty much everyone has machines that can be hijacked by drive-by malware - there have been cases where 0-day exploits have been used for such attacks through targeted ads on reputable websites.
Following other best practices doesn't help you to protect against that, but preventing third parties from injecting arbitrary content on the [reputable/largescale/https] websites you're viewing does close one attack channel. One out of many, but a valuable one.
Everything everyone else said, plus: fake system alert ads are still around (and still fool a lot of people), fake download buttons are still common on free software download sites, and deceptive ads for junk or nuisance software are pretty common. PC Optimizer Pro sounds like a pretty good deal until you install it and it throws a teenage house party on your computer. And if that's not all bad enough, there are the fake phone support numbers for various services that keep coming up in Google or Yahoo. Google's dealt with some of that, but not too long ago you could type "Yahoo support" into Google and there would be a list of prominent and official-looking 1-800 numbers and support sites, none of which were clearly enough labeled as ads for computer novices, and all of them took you to remote support scams.
I hate dealing with client-side malware. It's a time-consuming headache for my techs, it's frustrating and sometimes dangerous for the customers, and it's a loss leader for my business. I've put a fair amount of effort into never doing a malware removal or system restoration for the same customer more than once, and ad blocking software has probably been the single most effective and reliable piece of prevention.
In a perfect world, were humans make no mistakes, you are right. In the real world however it is best to think about security on every layer of the system to guard the other parts, which might have unknown bugs.
Following other best practices doesn't help you to protect against that, but preventing third parties from injecting arbitrary content on the [reputable/largescale/https] websites you're viewing does close one attack channel. One out of many, but a valuable one.