Rescorla is soon to give a talk at Usenix entitled The Internet is Too Secure Already which points the finger not at the user (it's pointless to blame them) but at the incentive structure which encourages people to spend too much time making sure that systems are impregnable against high-end attacks. The field is full of papers perfecting stuff that's already really good rather than fixing the stuff that's really bad. Usually the real problem is we don't have a deployable, usable system which integrates the good-enough cryptography into our applications and networks. Companies may now finally be willing to pay for that, which they haven't in the past, out of their own needs and new government regulations (like HIPAA).
Update: I previously said that Ekr already gave this talk but he's in fact going to give it in August.