Secunia provides the numbers and they are bleak: nearly all Windows computers are likely running at least one unpatched application and about 40% contain 11 or more vulnerable-to-attack programs.
Secunia ASP research shows that more than 95% of the PCs that have downloaded and installed its Personal Software Inspector (PSI) utility in the last week sport one or more applications. The solution is usually pretty simple, download the security fixes, but most people are not patching their systems.
So many systems are insecure. Almost half scanned in the last week have 11 or more vulnerabilities, while more than two-thirds have 6 or more unpatched programs.
Keep in mind that the typical user is more than most concerned about patches so the numbers are no doubt higher amongst average users
PSI runs on Windows 2000, XP, Vista, and Server 2003, and can be downloaded from the Secunia site.