Risks have changed very much over the years, you used to be able to get an infection from simply visiting a bad website, but that has changed with advancements in browsers.
Most infections now occur when users manually download and manually run infected files. It is usually the fake alert websites with rogue security products like fake antivirus, ransomware, fake flash flayer update, media codecs, etc. These type of infection have been the most successful to date since most AV's don't detect them until it is too late. The majority of zero-day infections are these type of malware.
They are still exploits in the wild but most only apply to out-dated browsers, flash player, PDF readers, Java and other online software. Users who don't install the latest Windows Updates.
It is actually very rare for a home user to get hacked or get an exploit if they keep their software updated.
If you just watch what you download, only download files from trusted sources, keep your software and Windows updated and use a good real-time AV you are pretty much protected now.
Thanks.