Regarding IE and security - the problem is that IE doesn't sandbox untrusted executables and, since the MHTML engine is a core underpinning of the OS running with admin privs, a cross-domain vulnerability means that your Windows box ends up being ownable.

In contast, other browsers typically run as unprivileged users and specifically sandbox scripts/in-page executables etc, so the chances of a catastrophic result of any particular vulnerability are much reduced.

MS's default security model is too open, and even if users have the tools to close the obvious holes (via preferences etc) then the typical user won't employ them.
--
simon