Security vendor Sophos reported last week that Microsoft's Vista is vulnerable to at least three pieces of widespread malware, two of which date back to 2004. At least three well-known internet worms - labelled Stratio-Zip, Netsky-D and MyDoom-O by Sophos - are able to execute on the operating system, according to Sophos.
However, because these attacks rely on user interaction to execute the code, Microsoft has denied this is a flaw. Microsoft said these attacks rely on social-engineering techniques to be successful.
It's really tough to stop malware when it's the user who's executing the code. ;)
If I recall correctly that virus software comment was taken out of context. It was referring to an account that an executive had created for his son which was locked down with almost no permissions. I really don't think that comment was meant to infer Vista in general could be run without AV.