Ultimately it comes down to a few things.
Most people have the mindset that as long as you keep windows patched, and have some form of anti malware on your PC then you are golden.
But the reality is the most dangerous malware is one that spreads before a patch is published, otherwise known as 0day malware. Many anti virus solutions likewise struggle with 0day, they may be good at finding older malware, but struggle on malware that is fresh out of the door.
The better way is to have the OS in a more secure configuration out of the box, one big step to that is to stop using admin accounts by default, this was originally Microsoft's plan when UAC got introduced, but for whatever reason it never came to fruit and here we are many years later still not using LUA's by default.
The windows firewall allows applications that dont even have elevated permissions to add rules to it, as well as been by default in a fairly open configuration.
Powershell ships in a open configuration.
Windows still uses the insecure by nature svchost, rundll.
Applocker is still not activated on consumer versions of windows.
Defender protected folder feature has an internal whitelist which cannot be disabled, likewise UAC by default has a internal whitelist however it can be disabled.
Most of these flaws exist because windows is still built for end user convenience, and also market segmentation as some features are deemed enterprise only. One of the new features that will be enabled by default in Windows 11 was originally enterprise only, but Microsoft have been gradually moving it over to consumer.
Chrome has me concerned as well, what the browser is capable of is scary, if you look into its permissions system, it allows websites to hook directly into cameras, microphones, usb devices, the filesystem, a virtual filesystem, windows installer api and more. All exploits waiting to happen. Essentially google have built an OS into chrome, as a substitute for taking over the PC OS market.