In a welcome relief, we didn't have any huge rapid, mega-outbreaks in 2009. Conficker was a widely spreading malware program, infecting over 10 million machines. It was nothing to sneeze at, but it was not the rapid-spreading, everyone-is-infected-in-a-day type of worm such as MS-Blaster or SQL-Slammer. Although like all the previous types of very popular worms, patches were already available before the malware program's release, but often not applied.
As expected, malicious hackers started to target social networking sites in a big way. Some of the biggest attacks were against MySpace, Facebook, and Twitter users. This trend will probably only grown. Hackers attack what is popular.
On the positive side, for the tenth year in the row the expected besiegement of mobile phone malware didn't happen. Sure, there were mobile phone worms and Trojans, but we read more stories about them than actual infections.
But again, I can't help but be a Scrooge about the whole year. No matter what the security gains were, the hard reality is that users are being exploited more than ever, and often by their own hands (e.g. the exploit didn't need an unpatched piece of software to do its dirty business). Most users are exploited by being tricked into installing malicious software disguised as an antivirus scanner, needed software patch, or video codec.
We catch almost no one. Any headline claiming that we've captured or prosecuted some uber hacker is almost never correct. The caught criminals are almost always minor players in today's world. If they get prosecuted, the fines are usually pretty minor (for the money they've stolen), and the jail sentences so short they don't serve as a future deterrence.
Bot-net creators operate with near impunity. Heck, some of the cyber criminal gangs are so huge and well known they have multi-page Wikipedia entries. See http://en.wikipedia.org/wiki/Russian_Business_Network as an example. The evidence available against the Russian Business Network is available for anyone's review. It's more public evidence than we've ever had against a mafia organization and yet there has never been a single RBN member prosecuted. Bank account-stealing Trojans are on the rise.