Just to be certain, though, which, if any, of your three "how-they-do-its" is vulnerable to an Apple Security Update?
Any of them.
The people, usually Eastern European organized crime, who distribute malware via compromised Web sites or poisoned banner ads will often rely on known security vulnerabilities in popular Web browsers or plugins in order to download malware.
Once you have ended up on an attacker's site, whether that's by a poisoned banner ad or by clicking on a seeded link in Google or whatever, the site will often attempt an assortment of different exploits. It may try to exploit holes in the Flash player plugin, for instance (that's one I'm seeing a lot of lately--on Macs it just crashes the browser, on Windows it silently downloads and runs malware); ir it might try to exploit known flaws in known browsers (like Internet Explorer flaws); or it might try to exploit something like a RealPlayer security hole. If all of those fail, it will try to trick you into downloading and installing the malware yourself.
Apple security updates will fix flaws in the browser and often will include third-party software or plugin fixes as well. For example, the update that just came out earlier this year fixes flaws in the Mac version of the Adobe Flash plugin. Even though Apple didn't write the plugin, they included the security fix as part of the general security update.
So to answer your question directly, security updates can mitigate Web attacks regardless of the mechanism used to get you onto the attacker's page.
