Unfortunately, this is wrong!
On the one hand, the firewall must also be configured correctly. If you release every request of a program for access to the Internet – then soon you will have a lot of holes.
Of course, there are also attacks via legitimate channels – your browser and your mail program must be able to access the Internet, and the firewall won't help you either.
Unfortunately, this is also wrong.
Of course, an up-to-date antivirus program is important for security.
For this, the virus signature database must also be updated at least daily.
But a virus program can only search for known pests, so it chases the attackers.
The updating of the "normal" software packages, on the other hand, eliminates the possible attack surfaces, since the manufacturers close known gaps in their updates and patches, possibly even before pests are "on the market".
It's like driving a car: just because you fasten your seat belt, you don't drive carelessly – or the other way around. Both measures are necessary.
This idea is also a fallacy.
Of course, a password should be "secure", i.e. difficult to "crack" - please refer to the Passwort-Richtlinien an der TU Braunschweig.
But even a "strong" password can be lost, spied on or even "cracked". And if you only have one, then all services and websites are immediately open to the attacker.
A separate, "strong" password should at least be used for each sensitive service.
Password-safe software such as KeePass (or similar) helps to manage and generate such passwords.
See also: BSI-Sicherheitsirrtümer-Internetsicherheit
You can check how secure your password is here Kaspersky-Passwortcheck or here Howsecureismypassword.net (never use actually used passwords for this!).
Tips for secure passwords can be found here: Heise-Passwort-Schutz-für-Jeden and also here Passwort-Sicherheit (tu-braunschweig.de)
Of course, careful surfing behaviour drastically minimizes the cyber risk - but unfortunately, even trustworthy sites can be infected or hacked from time to time - for example via advertising banners, invisible (statistics) counters and the like.
And with techniques such as cross-site scripting and drive-by infection, you no longer need to click on a suspicious link - you won't even notice that your computer has been infected.
In addition, you too can be inattentive and fall for a deceptively genuine replica of a "good" site or accidentally click on a link.
It doesn't help - as soon as you are somehow on the Internet, you have to protect yourself with firewalls, virus protection, good passwords, security updates - and of course with caution.