Many Information Security people have mused why on Earth "Real People" (i.e. those without propellers) simply don't "get" security.
Jesper's written a thought provoking article on the very subject.
Like Jesper I've worked in Information Security for many years and the fundamental challenges remain - it's very easy to get most people to circumvent the pesky information security measures.
Information Security should begin with and end with responsible people using a little additional brain power to apply "electronic common sense" to decisions pertaining to information access. We techncial folk must make it easy for everyone else to make the right decision based on their objectives. We can't hope to secure information without helping users to understand security.
Two thoughts. If you accept the precept that most people are fundamentally lazy and will take the easiest option in any scenario then, if it's easier to be secure than not secure, people will default to 'secure'. It's up to us in the security community to provide solutions that do not require conscious thought on the part of the user, rather we have to make security 'just the way it is round here'. Secondly, too much of what we do (and say) gets hung up on security as if it's something special, that uniquely requires special skills or processes. Instead we should try and get users to recognise that security is just another facet of the business operations and that security risk management is no different to marketing risk management or investment risk management. Whilst we have our own terminology and solutions, so do the marketeers and accountants. We're not special, we're just different, in the same way as the other business operations are different to each other.