The top most thing is keeping the OS up to date. And I don't visit shady web sites.
Flash stand alone is removed, and disabled in Chrome. Lastpass for passwords. Tunnelblick+privatetunnel for open networks. And even though I use some software that isn't signed, after I've installed such software I revert the Security & Privacy "allow apps" setting back to app store+identified devs. And relevant, just by coincidence, in this case, I'm using 10.9.5 (which is still currently maintained with security updates).
The reality is that Mac users are simply used to trusting Apple to handle these sorts of things. And it's not a good alternative for that trust to be lost and placed in a 3rd party, e.g. on Windows where trust loss means a litany of 3rd parties to choose from in that space with no real practical way to differentiate, and the Windows Store described as a "cesspool of scams." Apple will get this fixed soon. It's definitely sub-optimal response wise, but I still trust this ecosystem compared to Windows at this point.
Exploits, and high risk vulnerabilities are certainly being closed with security updates. That's their purpose. Major changes aren't practical for Apple, and they do everything they can to incentivize (badger) people into upgrading to the current version.
You can also install another OS. Putting an Ubuntu LTS or Debian stable on it will help you way more, compared to OS X 10.9.5, than any number of other mitigation strategies.
Frankly, I'm way more comfortable taking my Windows 8.1 machine to public wifi hotspots these days than my OS X 10.9 machine.
Oh, yes, obviously use google-chrome (not even chromium; there's too much free-software-purity stuff in the Debian builds to make me feel comfortable with its security profile). At this point it didn't even occur to me you could use another browser and consider yourself secure, such is the awful world we live in.
Flash stand alone is removed, and disabled in Chrome. Lastpass for passwords. Tunnelblick+privatetunnel for open networks. And even though I use some software that isn't signed, after I've installed such software I revert the Security & Privacy "allow apps" setting back to app store+identified devs. And relevant, just by coincidence, in this case, I'm using 10.9.5 (which is still currently maintained with security updates).
The reality is that Mac users are simply used to trusting Apple to handle these sorts of things. And it's not a good alternative for that trust to be lost and placed in a 3rd party, e.g. on Windows where trust loss means a litany of 3rd parties to choose from in that space with no real practical way to differentiate, and the Windows Store described as a "cesspool of scams." Apple will get this fixed soon. It's definitely sub-optimal response wise, but I still trust this ecosystem compared to Windows at this point.
Edit: Oh and Privacy Badger.