About Windows Installer, the .NET Framework, and Visual Studio.
Michael Howard - our Sr. Security Program Manager here at Microsoft - blogs about how the improved security features in XP SP2 were effectively destroyed in an article in PC Magazine, "Making Windows XP Start Faster", by turning off the Automatic Updates and Internet Connection Firewall (ICF) services.
Great improvements have - and are still - being made to both the development process, and code and binary quality, through better code reviews, static analysis tools - many of which are developed in Microsoft Research - and more. But it's information like this that can much more quickly destroy all that.
External firewalls are great to have, but many people are connected directly to the Internet either via modem or broadband (which is more likely to be attacked). People that don't know what a firewall is might not know that they need it, especially in those cases.
Personally, I'm running both an external firewall on my router as well as the firewall in XP, which I turned on even before SP2 turned it on by default. Automatic updates also make sure that your computer is kept secure.