Being on the latest version of Windows, with the latest patches, isn't a guarantee of safety. Most exploits require the user to do something dumb, which is why I have little sympathy for most individuals with malware or virus infected PCs.
For gaming purposes I still have a Windows 8.1 box that I've never applied a single patch to, and in fact, Windows Update hasn't yet been configured on that install. After a year, it's yet to have a single malware or virus related issue, despite a constant online connection.
You see, if you don't have open ports with vulnerable servers listening on them for outside sources to target, aren't otherwise downloading and executing nefarious code, and haven't opened up a bunch of shares to software that can be infected on your machine, what attack vector is somebody going to use to infect your computer with unwanted code?