This is all good and everything, but I just wanted to point something out - socially engineered malware can be avoided 100% of the time by the user, with no intervention from a browser. Don't click on e-mail links that are suspicious, know that your bank and other institutions will never ask for your user name, password, or account number, etc.
I'm guessing for this test they clicked on every suspicious e-mail link and then calculated how many times they were stopped by the browser? I'm sure if Chrome wanted to up their percentage they could have the browser throw out a pop-up everytime you opened a link from GMail that said "Hey, you're probably getting screwed by clicking this link for male enhancement that you didn't sign up for you idiot."
I know it's a little facetious, but if you're going to be on the internet you have a responsibility to be careful about socially engineered malware. It's not up to the browser. If someone walked up to you on the street and told you that your bank account had been compromised and they were wearing a badge from the company, would you really just give them your account number and personal information? I don't see how people react differently when it's in e-mail.
Just my two cents... but good job IE9
Now start syncing bookmarks across Live Accounts, package Flash with your browser and integrate Flash updates, get on a 6-month release cycle, stop lying about your HTML5 performance, and fix your JavaScript rendering and you'll still be 6 months behind Chrome.
for your good comment & Example