There have been several studies ...
^hmmm...whether FF is more secure and less vulnerable to malware/virus attacks is probably open to question; that i'm not sure about. i would still be inclined to be 'on guard' with regards to malware/spyware/viruses etc. but i do find the browsing experience far more fluid with FF...
There have been several security studies on FF v. IE.
Some notes ...
1. OS-based issues can still affect Firefox -- e.g., the Windows executive/launcher is still an issue for Firefox users, especially when proper enforcement of security "breaks" expected Windows operation. I.e., a common complaint about Firefox is compatibility, and most of those details come down to security decisions. Another "compatibility" issues are actually implementation, with some IE versions not even being as compatible (especially IE for non-Windows, like Mac or Solaris).
There are no less than 2 dozen known,
critical exploits for MS IE that take advantage of the integration in Windows. If you load MS Office (among other Microsoft apps -- especially those IE/Outlook integrated) on those systems, it's really impossible to disable those functions. I always and highly recommend
removing Outlook Express (and not loading MS Office/Outlook) on Windows systems. Outlook is the worst security disaster in the history of computing, with IE barely behind. It utterly destroys any ounce of security left in the core Windows executive/launcher.
2. OS Privilege level is everything. On non-Windows systems, like Linux, your user is non-privileged, so infections are limited to the user. If you run SELinux (like in corporations), it is truly contained in ways that Microsoft rendered Windows NT-based kernels impotent every since IE was released. It helps on Windows if you run as a non-privileged user when you surf, and with "Switch User," there's really no execute not to do this. I highly recommend it, with a user that does not have "administrator" privilege -- although it's still not as "non-privileged" as UNIX-like system (long story).
3. Javascript is still an issue (as well as Java), although Firefox lets you disable a lot of Javascript, a lot of people don't for features, including more interactive "AJAX" designed sites which require Javascript
4. The biggest issues of IE is the Windows integration, including for non-browser items. That's why even when you disable something in IE, it doesn't disable it for some functions. That's the biggest difference between Firefox and IE. When you disable Javascript in Firefox, you really do disable it. When you disable Javascript or ActiveX in IE, you really don't disable everything. That's where the biggest security difference is -- Firefox, which properly "locked down" (even if only partially functional with many sites) is damn good, IE is worthless as disabling isn't really disabling.
I use PrefBar to combat #3/#4 and only enable Javascript and other things for "known, good sites." It's a simple click on the PrefBar to do so.
I also run Linux, removing the majority of #1/#2 issues, although just running as a non-privileged user on Windows helps combat 99% of issues with any browser.