It would definitely reduce the attack surface. And even though Windows has “security” issues patched all the time, rarely are they ones so severe that you can just roll up to a machine and send it a weird HTTP reply and get admin access. Usually it’s stuff like if you have a shortcut file on disk it gets to run code when you look in the folder, or something. Not great for working with downloads, but hard to exploit unless at least one other thing happens (like visiting a malicious page, which then starts a download that the browser accepts).

But the browser calls out to the OS to do a lot of stuff (render images, render fonts, play sounds, etc.). It mostly assumes the OS can do those things without popping open a remote shell because too many emojis were rendered in a row or something. That is not always true, and when it isn’t you want an OS patch to fix it before you go on a site where someone can post the Magic Emoji That Hacks You.

But you are right that you can browse around trustworthy websites on an unpatched system behind a decent firewall for quite a while before you notice something bad happening. But also, a lot of bad things can have been happening for quite a while before you notice.