The security folks at SANS have a post measuring the average time for a new, unpatched Windows computer to get hacked once it's been put on the Internet.
There's some discussion at Slashdot about how this may be too low, and that the real time is more like 16 hours, but it's still not a lot.
As Dave LeBlanc likes to say, "Boot it, and they will come."
NAT firewalls cut out the easy attacks. Being sensible with how you browse is always a good idea, too.
Of course, it's different if you're a hobbyist: