I am interested in the answer and here is the perception I have built looking for an answer:
Things are not black and white. Mac OS X are inherently more secure, yes. Bulletproof, no. Mac OS X has been less hit in the past because it had less marketshare - correct. But it's not only market share. It is ROI: how much effort for the return, and how many automated tools are out there for Mac.
Java is a more likely attack vector on Mac OS X, and hence it is not Mac OS X that is not secure. Yes, Java s weaker, but asking people to turn off Java is not practical, and Mac OS X has its own weakness (plists, ...). All major OSes now implement ASLR and Lion then Mountain have caught up with a better implementation now.
Please correct me if I am wrong, but all antivirus softwares out there seem to be pretty much at par, differentiating slightly on the responsivness to 0-day attacks. Also, most seem to be scanning Windows signature mostly (normal, there are more of them, but not everyone runs Windows on their Mac). Seems like old stuff to me. Are they efficient against browser, acrobat, thumb drives attacks? Rootkits?
Sophos is better? http://www.kb.cert.org/vuls/id/662243 . Now patched, but Sophos, like most antivirus softwares requires root (admin) access to install. This makes them a vector of attack themselves: if hacked/backdoored, they run wlth all the privileges. I think one attack in Mac OS X was a buffer overflow on encrypted PDFs. Now fixed, but that doesn't mean that other weaknesses don't exist.
Bottom-line, there is no easy solution, and no one-size fits all. I personally use Chrome, disable Java, block plug-ins and all I can block while still being functional, and only use Safari on websites I can have higher trust in (intranet mostly).
Hope this helps. Curious to hear your solutions as well.
Thanks - Gilles