OSX and Windows have several things in common, one of which is that they allow most users to run executable applications.
If a user insists on running some piece of malware, just how exactly will OS X stop him from doing that?
Maybe OSX have no way to let a particular application start every time the user logs on. If that is the case, then yes, it is probably more secure. It would also be a helluva less convenient! I don't think that is the case, do you?
So... A piece of malware is ran by the user, it sets itself to start every time the user logs in... Damage done. No difference between OSX and Windows so far, right?
UAC is designed to only question the user in case an application request admin priviligies. It is not designed to secondguess the user in case the user simply runs a normal user-level application (or piece of malware).
What the morons over at Sophos have shown, is that a user can screw with his own setup. If they had also shown that other users of the same machine were infected, then they would have bragging rights. As it stands now, an admin of that computer simply have to wipe the infected user profile and create a new one. (or simply clean it manually -- whatever is easiest)
That does not change much, no matter what OS you're using. PS: I've not used resident AV products at home for twenty+ years -- no infections so far. Of course I patch security holes often, but I would do that with other operating systems too. (except OSX where updates are often running quite late)