Eli Dourado does a great job in taking on this kind of argument in his Mercatus working paper - on the syllabus in my Economics of Current Policy Issues course.
First, the externality is, in most cases, inframarginal: most individuals have sufficient personal interest in ensuring security that the external benefit accrues inframarginally rather than at the margin. In other words, while it's true that people benefit others when they install proper security software, they're doing enough to benefit themselves at the same time that they're likely getting things right.
Second, there are plenty of other parties that have an encompassing interest in ensuring that the Internet works well. Google has a harder time selling ads if a lot of clicked links install malware and the like; consequently, Google works hard to make sure that, if you're using their Chrome browser, you get lots of warnings if you try to visit a dodgy site.
We'd think that Microsoft would have a similarly encompassing interest. Why isn't a decent security system built into Windows? I recently built a computer and put Windows 7 on it. After a bit of searching around, I found that Microsoft produces a very decent, and free, Internet security package. So I downloaded it, for free, and installed it. And I wondered why it wasn't built into the OS. Surely it would be in Microsoft's interest that people using their machines be protected against virus attacks, and it's precisely the kinds of people who don't know they need to go searching for an antivirus package who'd be the kinds of people who'd impose costs on others by letting their machines turn into a zombie.
Then I remembered... Microsoft gets slapped around by the Department of Justice and the European antitrust guys whenever they try to make Windows better by adding features. Bundling antivirus into Windows, where it should be, could be deemed a measure that the Europeans would figure would hurt competitors; hurting competitors seems to matter more than helping consumers in European law. And Eli pointed me to this article from 2008 offering antitrust as reason why antivirus hadn't been built into Windows.
Fortunately, it looks like Microsoft's found a workaround for Windows 8. Antivirus will be built in, but will be automatically switched off if any other vendor's product is installed; it only turns back on if the user fails to renew the subscription to the alternative product. Note that Windows 8 is already under antitrust investigation in Europe, but for browser default issues rather than antivirus (so far).
