This one is not new, but it is worth repeating. A team of researchers from Google (Google researchers? Doesn't Google already know everything?) released a paper on their study of web-based malware. Read it. It is OK if it takes a few passes to digest bits of it, it appears to be written by smart people. (See my first post if you wonder what that means).
Link here to the nine page (440KB) PDF
Out of the billions of URLs scanned, Google found 4.5 million of interest. 10% of those were demonstrably bad, pushing code to client machines- and another 16% were questionable. That is 450,000 "evil" URLs and 700,000 questionable ones. How many have your users visited this week?
This is why web filtering is important, keeping malware off your network. Keeping employees away from bad things is just a bonus.