That's not entirely true. Even if I behave completely above-board, it's possible that some site I visit has been compromised by hackers. Without some kind of protection, I could then be damaged by malware.

How can a compromised site damage your machine, given that you keep your browser updated?

Isn't that the whole point of 0-day bugs? That they work against fully updated browsers?

And how would an antivirus save you against such a bug in the browser?

By detecting some typical exploit pattern, the exploit kit itself, the malware the exploit eventually ends up downloading and executing, or even the malicious host itself. There might be other ways too, but those at least are the most typical ways.

An antivirus definition file is a lot easier to update than a browser component that is exploited. The latter generally involves a lot more testing, whereas the former is essentially just metadata.