If your CIO asks such a stupid question run for the hill, he should not hold that title.
Every company, small, medium or large should have Firewalls, Intrusion Detection, Managed Virus Protection Software at the very least. Windows is the most deployed OS in the world and of course the main target of hackers i.e Viruses. MAC's to a lesser extent and Unix while probably the least vulnerable are still not immune to Viruses/Trojan and other Malware.
Users can still be the victims of trojan horses, phishing scams, and other online fraud. There is no such thing as a 100% safe computer, a Mac, Windows, and even Linux are all capable of being infected with a virus or other malware.
Lastly, physical access to any computer that is not encrypted is vulnerable.