Probably a combination of both (plus a little bit of user education on the MS side of the equation.) Recent MS operating systems and browsers are more secure then older versions that are slowly being phased out, most users are using firewalls/anti-virus enhancements, and users are more aware of the fact that certain attachments/files are not safe to just blindly open. On the Adobe side it seems like a decade of stuffing in useless bells and whistles to Acrobat to justify the size/budget of that group within Adobe is finally making the code too complex to properly vet and things that seemed like a good idea in the "what features should we add to the next rev" meetings are now looking like bad choices. The problem Adobe faces is that it is hard for a big company to remove features and they no longer have enough dominance over the spec or marketshare to create a "new and improved" version that enables them to paper over or rip out their mistakes.

Many such exploits are in-browser, and require no action on the part of the user apart from visiting a highjacked/fake web-site.

Why do I have to choose? And more importantly, why do malware guys have to choose?