Yes, and the original standard allowed any site to frame any other site and access any data from it... This isn't 1999, and you shouldn't be quoting a 12-year-old spec to talk about security issues that weren't even known at the time. Read the HTML5 spec and maybe you will start to see just how many nuances there are in keeping things working while having security on top. Not even the HTML5 spec explains all the complicated shit that browsers have to do... Mozilla's documentation is the best resource for this stuff because they describe what a real browser does. Here you go, first google result:
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
X-Frame-Options is a standard header (despite the "X-" part, it is a standard security feature built into *all* modern web browsers, including IE), and it is up to a site owner to choose to use it. This is the only guaranteed way to solve clickjacking attacks. Other methods require javascript enabled and some nasty hacks. See this page if you don't believe me:
http://stackoverflow.com/questions/958997/frame-buster-buster-buster-code-needed
That said, it's like using a hammer to put in a staple, way overkill. Problem is, there is no way to guarantee that your page is not being clickjacked -- there are so many ways to do a clickjacking attack that browsers simply can't guard against all of them, for example, plugins, opacity, ...
Yes, users shouldn't be stupid enough to input confidential information when the address bar has an untrusted URL... but the clickjacking attack works by showing users confidential information that only a trusted site could possibly know and giving them a familiar login form... It's very difficult for all but the most trained user to distinguish this type of site from the real thing.
Not all sites use this, but Google decided it was worth adding the header to protect themselves. That's their decision to make. For my web page, I'm considering the javascript-based solution because it allows a more clear message and lets users override the check if necessary, but this may compromise security in one or two cases, so it's a tradeoff.