One of the most difficult things about computing for non-technical people is dealing with requests from software to update. Most aren't sure what's safe to allow (or what might be masquerading as a legitimate application) and it's particularly a problem for people who don't use their machines frequently, leading to multiple updates/reboots when they do. Fortunately, in situations where non-Windows systems aren't an option due to barriers such as peripherals, specific software or re-learning (which have been the case for almost everyone I know) there are a few ways to improve this situation.
Microsoft options for firewalling and protecting against rogue software have improved a lot in the last decade. Windows 7 is somewhat safer than predecessors, architecturally, and its built-in firewall is an improvement over the XP SP2 one. Although it's still not going to be a good indicator that something undesirable has wormed its way onto a system and is trying to connect out, you've got to balance that against the fact that a firewall (eg, Comodo, which I use) throwing up prompts when software has updated gets non-technical users into the habit of clicking 'Allow' to everything, or they block legitimate software and OS functions. Consider using hardware firewalling at the router and a basic software firewall for these users.
As far as antivirus and anti-malware defences go, Microsoft Security Essentials rates well alongside commercial products. That you still get IT folk giving dishonest advice such as "If you haven't paid for your anti-virus, please uninstall it" is disappointing.
After the OS itself, AV and firewall software, Adobe products are frequent offenders. Security holes in Adobe Reader (previously Acrobat Reader) and Flash have been widely exploited, with Adobe's response being to add tasks that run at system startup and nag users to install updates. Foxit Reader is a far less bloated and intrusive alternative for viewing PDF documents, paying more attention to security. For Flash, which will probably be around for a long time to come regardless of HTML5 and Steve Jobs, the most pragmatic approach is to use a browser that has it as an embedded component... enter Google Chrome. If that'll suit user requirements, its silent updates are a plus. It also works with the Rapport security software recommended by many UK banks, and a functional AdBlock Plus extension is now available.
Another persistent irritant often seen in startup applications can be Java. I sometimes use a text editor built on it, but for most users it's preferable to avoid applications that have it as a pre-requisite and avoid having the large install and updates that come with it.