My workstation has a big assed red banner when I log on saying "DO NOT STICK A USB IN ME YOU FUCKING MORON"*. So if this study was conducted at my site, or was malicious, I'd wager they'd have a few things to say to me.
"Just look at how people have reacted to this spring's exploits of web sites and services...they don't blame themselves for choosing idiot passwords or not cancelling services they no longer use."
Really, do people believe that the ends justify the means as long as we're showing vulnerabilities lulzsec style? I mean even following that logic doesn't give you props. Exploiting stupid, or simply thoughtless, behavior just means you aren't clever enough to crack effective solutions and are targeting low hanging fruit like a gimped monkey.
*Color is correct, but the wording might be paraphrased