Safari supports everything that Quicktime does. You can add the support yourself, just like you could with Theora: http://xiph.org/quicktime/
http://perian.org is a Quicktime Component that wraps around libavcodec (ffmpeg) that has a pretty wide install base on OS X and checks for automatic updates by default every time it's loaded in an application. Google has a set of patches for ffmpeg on their site that will surely get picked up and automatically distributed before too long.
If Apple ever ships support, it'll be with Quicktime, not the braindead approach of linking it directly into the browser. IE9 has this approach too, just with a codec whitelist. Google Chrome bundles a pared-down libavcodec that you can swap out with your own. Opera does the same but with GStreamer.
In reality, the new version of Flash with VP8 support will get %95 penetration in a couple months after it's released, and fallback to Flash will continue to be how the <video> game is played. I wonder if Google's stopped charging Adobe for VP6 as a quid-pro-quo? It seems like that (and VP7 for Skype) were On2's sole sources of revenue.
Just curious: do you know why IE9 uses a codec whitelist? Why not just support any codec installed on the PC? Does Safari's QuickTime usage have such a whitelist?
Because the codecs are unsandboxed native code running in the browser process with full access to your user data. That you downloaded from the internet. To enjoy pornography and pirated media (and pirated pornography!). It'd be a perfect exploit delivery vehicle, and on a newly-prominent attack surface (see the recent @font-face exploits)
It's a much bigger problem on Windows because shitty DirectShow codec packs have a huge install base -- I wouldn't be surprised at a hundred million! It'll be a little better now since XP users won't get it, and the codec pack situation has cleaned up a lot in the last few years.
The IE team is doing the right thing for the situation they have. Anybody that cares is going to be using a different browser, their support for <video> just means that we won't have to use a Flash fallback for Vista/W7 users that allow updates.
Google is unlikely to prompt IE users to install the WebM codec on Youtube, since it'll work better with h.264 anyway.
Apple doesn't use a whitelist now, but they might in the future. Their attack surface is more constrained, since it's only the code they ship directly (the library, their default codecs, and the pro stuff they ship with Final Cut), Perian/libavcodec, and Xiph/liboggplay that are actually installed anywhere. No cambrian explosion of repackaged hacked codecs to deal with.
