I'm not saying users are completely blameless littel angels. But I'm so sick and tired of this reflex of blaming everything on stupid users.
Some comedian said it very nicely about another topic: When a house burns down, and the firefighters put out the flames, they don't just go home and write a report saying "fire destroyed the house". They go in and sift through the debris and try to figure out what caused the fire.
In IT we largely don't do that. We treat users as mystical black boxes and root causes and once we've found the user somewhere in the chain of causality, we stop. We don't ask ourselves why the user made this mistake or why the users don't seem to want security. We say "stupidity" the same way ancient map makers put "here be dragons" on their maps.
And that, I say, is stupid. We should go in there and figure out what actually is in that white spot. Why did the user make this mistake? Why do they fall for phishing? Why do they want speed over security? And a boilerplate "because they're stupid" is not an acceptable answer.
We're so smart (or so we think), but we can't figure out how to make security desirable, unobtrusive and a positive experience. Really?