It happens and I've proven it at my old job multiple times, much to the dismay of stunned IT officials, as recently as 2007. Get a new Windows XP Pro SP2 based-PC workstation fresh out of the Dell or HP factory packaging. Connect ethernet port to a firewalled, routed, professionally run LAN connection at a Fortune 500 company office. Boot up, and wait about 20 minutes. Literally don't do anything except turn the machine on, just let it sit at whatever default Windows first-run nags.
Then install Norton and run a first check. No fewer than 50 viruses, spyware programs, worms, trojans, and other bits of malware auto-downloaded in 20 minutes every time I tried this. It was always slightly different, which to me indicates there are massive botnets searching for specific root-level vulnerabilities in Windows OS's across vast IP ranges.
This has been my experience. More recently, I've been running XP and Windows 7 beta on a couple of test boxes, with AVG installed, and I have yet to have any problems with either, but the experiences I had testing/proving my theory in 2006 and 2007 are hard to forget. I had multiple witnesses each time, all of whom were certified IT professionals.
uke:
