I would like to know (and need credible references for) the percentage
of web browsers that are currently in use that are ONLY capable of
40-bit encryption (export strength).

Background: Prior to Jan 1, 2000 it was not possible to export
browsers capable of 128-bit encryption (only 40-bit).  In 1997 the
government started to allow SSL certificates that utilized
Server-Gated Cryptograpy "SGC" to be issued to financial institutions,
which allowed export versions of browsers communicate with financial
institutions using 128-bit encryption.

I _believe_ that all browsers AFTER Jan 1, 2000 were made capable of
128-bit encryption without the use of SGC, but I need references to
back this up as well.

Verisign and Thawte offer a "GlobalServer ID" and a "SuperCert"
respectively that offer SGC for much higher prices than their standard
certificates which are capable of establishing 128-bit encryption with
all "export only" 40-bit versions of browsers.

I understand that Netscape has not provided an "export only" version
since Netscape version 4.74 (released July 2000), and all Netscape
versions since then are capable of 128-bit encryption without the use
of SGC.  I do not know if or when Microsoft stopped offering an
"export" version of their browsers.

I believe that the vast majority of browsers out there are now capable
of 128-bit encryption, but I need some facts to back this statement
up.

In short, I am trying to prove that since almost all browsers are
capable of 128-bit encryption that there is no reason to spend the
extra money on purchasing a SGC capable certificate and SGC
certificates are quickly becoming a thing of the past.

It is important for me to know the answer to this question whether I
am right or wrong in my assumptions.  I will need information and
references to either back up or refute my assumptions.

What you are asking, I believe, boils down to a browser market share
question.

Upsdell tracks, via multiple sources, browser percentages and reports
the following:

Browser Stats (use with caution) 
Browser: Source 1 Source 2 Source 3 Source 4 
IE6 62% 70% 55% 54% 
IE5 32% 13% 29% 19% 
IE4 .95% .25% 1.1% .85% 
Gecko based 2.3% 9.0% 4.6% 15% 
NN4 1.1% 1.3% 3.1% 1.7% 
Opera 1.2% 2.2% .3% 1.0% 
other .1% 1.9% .25% .3% 
unidentified 1.4% 2.4% 6.1% 8.5% 

Given that the late-model IE browsers support 128-bit SSL - and that
the vast majority of users, by any measure, are using those offerings
- you should be good to go with 128-bit certs.  As an aside, 40-bit
certs are considered relatively insecure (easy to brute-force crack),
so you have a "marketing" angle to your client-side requirement of
128-bit encryption.

Cheers.