Never thought it was a widespread problem, otherwise risk-averse casual users would be infected by the millions.
Even though they say 1% is a lot, I think their definition of malicious may be different than my own.
Since every webpage has about 20 different ADs or even more, that is like saying, that every 5th webpage is infected, not so little. Even their test proves it, since 40k ADs on 600k webpages, that is approximately 15 on each, excluding ADS, that repeat themself. Thanks for adblockers.
If data-mining/fingerprinting was seen as malicious, the percentage would probably reach high double-digit.