Most users just aren't going to tell you the whole truth about what they do online. And when you throw ah, the "son' (let me guess; a teenager?) into the mix it just gets worse. Most sites try to police themselves, but there are all sorts of avenues malware can use to enter a site. Two or three months ago, I saw some figures that claimed that roughly 67% of the sites hosting malware were legitimate sites that had been hacked. Sorry, can't put my finger on the reference immediately.
But here's a link to an article that
discusses some of the ways malware can end up on a site. I include the example because it address a common vulnerability, and it also reveals how some malware is targeted.
I was recently discussing internet security with a client while her child was on NeoPets. The child clicked a link to play a game (in Firefox) and the link immediately opened an Internet Explorer window which reported that the system was infected and the user should download what was undoubtedly a Smitfraud variant. Then we talked about the NoScript addon.
Basically, I think you're going to find that Craigslist is well policed, and that videos hosted by YouTube are safe, but external links may not be. Essentially, good security on the internet requires some knowledge of basic security issues plus some judgment and restraint.
Edit due to cleaning up late night typos. Doh!