My opinion is pretty much in line with Mark's "flippant" comment. All those viruses, spyware, and other garbage is a potential threat to the business' bottom line.
One real classic example, which is very real, is a virus will encrypt EVERYTHING on the hard drive. It will do this silently, and keep decrypting everything for a few days. Then, one day, out of nowhere, it will stop. At which point you will be presented with a choice. Pay a ransom to get your data back, or lose it. Now imagine if one of those viruses hit your business. All work would come to a grinding halt until that was taken care of. Could your business really afford to have everyone just standing around because they can't get at any of their data?
Another example, is what happens if someone makes copies of all the confidential data contained on those computers? Then either blackmails you into paying to keep them secret, or posting them on the Internet somewhere, maybe even giving copies to your competition. These are not far fetched examples, they go on every single day.
So what I would propose is this... You go to your boss and lay out a case for how the time lost dealing with all of this spyware and virus garbage is costing the company huge amounts of money. Then you propose that the way to help combat this is to apply security updates to the machines in house. To help make this go over a little easier, I would recommend you suggest designating one person's system to be the "testing" box. This person's box gets all of the updates applied shortly after they are released, and if after maybe a week, no major problems arise, the updates can be rolled out to all the other systems in the office. Different people can be the designated tester every month, or it can always be the same person, depending on how you want to handle it.
With my method, you are providing a full proposal that includes some safeguards. If anything goes wrong with an update, only one system will be affected, which is considerably better than all of them being affected. You are also going through her, so it doesn't seem like you're trying to challenge her authority. What's more, you are presenting it in such a way that it looks like you have the interests of the company in mind, not some personal agenda.
The one tricky aspect to all of this, is that if things are as bad as you say, any attempt to install say SP2, will likely bring about the immediate death of the operating system. So, in order for this plan to be implemented, you will need to format and reinstall Windows on EVERY computer, and get at least SP2 installed BEFORE you ever connect to the Internet. This will probably mean coming in early or staying late for a week or two. So be sure to make it look as if the overtime pay you may get for doing this will be minor when compared to what the company stands to gain over the long term.
After you get all the updates installed, and have worked on some policy whereby you can keep the systems reasonably up to date, you can work on getting the use of Internet Explorer banned at work. Using Firefox or Opera instead of IE, will do wonders for cutting down on the virus and spyware problem. It should slow the flood to a light trickle. However, the unfortunate reality is that change takes time, so start by just getting her to rubber stamp the update idea. Once she's had time to see what a great idea that was, you can push the no-IE one.