For Windows before 10, I used to use EMET. It blocked a few Firefox crashes that were either non-reproducible bugs or active exploits over the years. :)
For Linux, I use the grsecurity kernel patches. (I run Debian with the dotdeb repositories for PHP 7.)
I do most of my casual Internet browsing with Tor Browser (via torbrowser-launcher) inside of a virtual machine. Once a site is trusted, I'll actually visit it in my host OS.
I use password managers. Mostly LastPass (for casual use) and KeePass (for high-security use).
I encrypt my hard drives (with a 64-character passphrase) and smartphones (with a passphrase, not a PIN).
What do you store in Keepass that falls under high security use? Why not just use KP for everything?
Maybe he just prefers the UI of LastPass over KeePass, and is willing to compromise on some security for usability?
Precisely.