Here's a nice link, tho a bit technical, outlining why Mac users may need to get a bit more "worried" about the future;
Dino-Dai-Zovi-Mac-OS-Xploitation
This same guy will give a presentation for a
rootkit for OSX
Just a small heads up.
Anyway, not running a AV sounds to risky to me, you don't get malware (I use malware in this case to refer to virusses, adware, trojans, rootkits) from only visiting naughty websites or unknown mail senders..
Perfectly legit websites can be hacked and host a virus, or legit sites can link to a site (adverts for instance) that contain malware. It happens, not often but it does happen.*
You can get an IM message that can contain malware. Your best friend that sends you a mail may have an infected PC.. Or someone who has your best friends email address might be infected and send out mails in his name unknowingly.
You can download "free to play" games that may have malware (Not meaning pirated games here). Hell, you can buy a Music CD from Sony and have that install a nice rootkit.. (Anyone remember that ?)
The biggest reason why WinXP is so vulnerable is because most end users run as administrators as that's is how MS let them set it up, therefore programs, like IE, run with full admin rights and because of it's design has full access to the system (great idea on paper in days long gone, less in the modern age). Linux and similar OSes usually don't and are therefore still less end user friendly (I'm talking about Joe Average) but far more secure.
If you set up XP with a Admin account and a normal user account, configure the router correctly (not opening every port there is for instance) and use the PC with the normal user account and use the admin account to install software you're much safer. Offcourse you still have those that don't read when Windows pops up (usually confusing) message boxes requiring user action but at least know you know that something is trying to do something you don't want.
*maybe it happens more often tho, esp if people are using an OS with an admin account and/or an not up-to-date OS (that goes for XP, Linux, OSX, any other OS out there). If you don't have a AV or firewall you don't get a warning off course so you don't know if you're infected or not, most malware doesn't advertise itselves as they install or run and/or hook up to legit processes/programs so you don't notice them. And not every "free online" scan is able to detect as many mallware as paid installed version (granted the paid AV programs won't be able to detect every threat out there as well but they usually get updated more)
My personal opinion is: better save then sorry. Having an AV hardly impacts any modern PC (I use NOD32 and never notice it's presence), the paid AV's aren't that expensive either and the firewall in the router is good as well. And as said, never run as admin on any OS that lacks all updates and have all ports open in the firewall.