In 2009, 34 vulnerabilities were detected in Apple’s OS X, which had risen to 175 so far for 2010.
Most vulnerabilities in Mac OS X are found in third party components included by default such as Flash, Java, multimedia codecs, PDF support, and more. Most of those vulnerabilities exist in other OSes once those third party components are installed.
Not all vulnerabilities are exploitable and Mac OS X has very few privilege escalation vulnerabilities. Privilege escalation exploits are required for successful malware install without password authentication. There has not been any malware on Mac OS X that achieves privilege escalation without password authentication.
To bad that Firewall is OFF by default, and most users will never turn it on.
In terms of the common understanding of a firewall, Mac OS X is not running any firewall by default. But, firewalling constitutes more than just an application firewall or a packet filter.
The Unix DAC model insulates different levels of the system by controlling access based on users and groups. This is supplemented by Unix permissions and access control lists.
Sandboxing also constitutes a form of firewalling. Sandboxing in Mac OS X is an implementation of the TrustedBSD MAC model. This is used to sandbox mandatorily exposed services, such as mdnsresponder. Often this type of sandboxing, when used to supplement Unix DAC, is labelled as an application firewall; for example, AppArmour (found in some Linux OSes) is referred to as an application firewall (also by default only used for mandatorily exposed services).
Given the sandboxing of mandatorily exposed services combined with other remotely accessible services being turned off, Mac OS X is firewalled by default even though it does not ship with the conventional application firewall turned on. If you do not turn on any of the services found in the "Sharing" pane of System Preferences, there is really no need to turn on the Firewall except for peace of mind.
Also, application firewalls, such as the one found in the "Security" pane, typically only understand the protocols for sharing services (VNC, FTP, SSH, etc) if used on the standard port for the service and provide only basic filtering for non-standard protocols or services using non-standard ports.
Stateful firewalls are better in general as provide the benefits of both packet filters and application firewalls. IPFW, the packet filter in Mac OS X, can be set up as a stateful firewall. The easiest way to do so is to download an IPFW GUI, called Noobproof, and set it to run in "supernoob mode."
Mac OS X has three types of firewalling. The application firewall is turned off by default. The packet filter, IPFW, is running but with the most open ruleset. The TrustedBSD MAC framework is enabled by default.
