Up to date information is a little hard to find, but a Symantec White Paper covers what went on in 2008 pretty thoroughly.
White Paper, 2008 PDF (110 pages 3.94 MB, full title "Symantec Global Internet Security Threat Report: Trends for 2008, Volume XIV, Published April 2009)
Some bits:
Symantec observed an average of 75,158 active bot-infected computers per day in 2008.
China had the most bot-infected computers in 2008, accounting for 13 percent of the worldwide total.
Buenos Aires was the city with the most bot-infected computers in 2008, accounting for 4 percent of the worldwide total.
In 2008, Symantec identified 15,197 distinct new bot command-and-control servers; of these, 43 percent operated through IRC channels and 57 percent used HTTP.
Of any browser analyzed in 2008, Apple® Safari® had the longest window of exposure (the time between the release of exploit code for a vulnerability and a vendor releasing a patch), with a nine-day average.
Mozilla browsers were affected by 99 new vulnerabilities in 2008, more than any other browser; there were 47 new vulnerabilities identified in Internet Explorer, 40 in Apple Safari, 35 in Opera™, and 11 in Google® Chrome.
In 2008, Symantec detected 55,389 phishing website hosts, an increase of 66 percent over 2007.
In 2008, bot networks were responsible for the distribution of approximately 90 percent of all spam email
A bot-infected computer is considered active on a given day if it carries out at least one attack on that day. This does not have to be continuous; rather, a single such computer can be active on a number of different days. A distinct bot-infected computer is a distinct computer that was active at least once during the period. In 2008, Symantec observed an average of 75,158 active bot-infected computers per day (figure 6), a 31 percent increase from 2007. Symantec also observed 9,437,536 distinct bot-infected computers during this period, a 1 percent increase from 2007.
Lets look at that last line again:
SYMANTEC … OBSERVED 9,437,536 DISTINCT BOT-INFECTED COMPUTERS DURING THIS PERIOD (2008).
Note that these are extracted "bits" from the opening summary pages of the paper. Details given later may clarify the real threat resulting from each of the above summary statements, with some appearing either more or less astonishing than might be the appearance from the out of context summary bullets.