What is the proper classification of a browser (or plugin) based drive by exploit? It still requires user intervention to be installed, but no need for the user to manually bypass security. I've personally never referred to these as proper viruses.

It should be noted that Java is not installed by default on OS X 10.7, and is removed if a user upgrades from 10.6 to 10.7. Apple did add a dialog to install it on first use. If the user ran just a normal Java application, the web portion isn't enabled. If a user browses first to a Java web page, they would have to manually click the little box where the Java applet was embedded to then get the install dialog. Makes me wonder how many of the infected installed Java for the first time just for the malware, compared to actually using Java prior to it.

For Matt, marketshare is likely part, but not the complete picture. History has lots of examples of the smaller marketshare systems being exploited like crazy (such as the real, proper self spreading virus problem classic Mac OS had), or systems that have a commanding marketshare without too many issues (Linux servers). Malware is evolving over the ages too, initially just being destructive for no good reason. Now it's mostly interested in turning a machine into a participant of a bot network used for spamming or other activities that can be bought and sold on the black market. Or stealing personal data to be resold in some form, including MMO logins to sell off their virtual currency.

It helps that OS X's core is a pretty battle hardened Unix variant. Multi user operating systems demand security like features more then single user systems (Classic Mac OS and Windows, and to some extent NT on the desktop with XP,Vista,7), due to the nature of also needing to ensure one user couldn't impact another back in the mainframe days. Modern single user systems (iOS/Android) still benefit a bit from their Unix like heritage, and choose to add more security from day one with code signing and other technologies to help minimize the risk.