We shall have to agree to disagree.
Not that I don't think that the quote from the article you reference is correct, but as close to 100% of critical vulnerabilities affecting Windows would never be exploited, and could never be exploited, were it not for direct user action.
Learning how to safely interact with cyberspace is not rocket science, and those who don't do so get infections of various sorts on a regular basis.
The user is the first and primary line of defense. That many just don't, can't, or won't recognize this creates a virtually insurmountable problem.
Also, the frequency of needing admin privileges is directly related to exactly what one does on a regular basis on one's machine. I am endlessly updating software related to what I do for a living and, as I said previously, would lose my mind were I not able to act without anything more than UAC popping up on a regular basis. The fact that I have not had a malware or virus infection on any of my machines for several decades now and no detections and quarantining means I have to be doing something right. It's not "just dumb luck."
Brian AKA Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134
. . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it. The willing suspension of disbelief has its limits, or should.
~ Ruth Marcus, November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story