You make some valid points, but I don't think the myth of the "educatable user" is a myth at all. There's a reason why most security experts, and AV-software vendors, emphasize the need for educating users. It's not to deflect responsibility from the software. It's not to undermine their own business model. It's because you need, both, reasonably secure software and reasonably educated users. Sure, you can't expect users to be perfect; even the security experts themselves are fallible. But without basic user precautions and some level of basic security sense, even the most security-hardened system will still be as vulnerable as if no software security had been implemented at all. Otherwise, you're basically only left with the option of making "idiot-proof" software that one would use by choice.
Let's face it, perfect security is often impractical or just infeasible. Many people have to work with Windows and outdated versions of the IE browser in environments where the principle of least privilege just can't be practically implemented. In those cases it makes sense to minimize risk by educating users and setting the appropriate company policies. Heck, it makes sense to do so even outside of such extreme cases. It's about having a balanced security implementation (not putting all your eggs in one basket).
Just recently there was a story on /. about how some penetration tests were conducted, demonstrating the vulnerability of financial institutions to (relatively unsophisticated) social engineering attacks. If you're in the financial/banking industry and you have "uneducatable users" in your company, then they need to be replaced immediately, as they're the biggest threat to your system. It's cheaper, easier, and more realistic to train (or replace) an employee than to try to design a security system that is idiot-proof or is immune to social-engineering attacks.
So the problem isn't the myth of uneducatable users, but rather the complacency we've developed towards walking attack vectors on the company payroll. Perhaps if companies didn't resign themselves to the fact that users have to be stupid, this wouldn't be such a self-fulfilling prophecy. Spend a little more money to attract/hire higher quality job candidates if you have to. All the stories in the news of massive data leaks and other security breaches should be enough to convince most intelligent company execs that this is not something that an organization to whom security is crucial should skimp on.
And who knows? If people start losing their jobs because they're downloading and running executables from unknown sources, or they're giving their password to anyone who bothers to ask, or are otherwise computer security illiterate, then perhaps they'll start making an effort to learn. This isn't the 1990's. Personal computers have become an everyday appliance like the TV or telephone. There's an entire generation of workers out there today who've been brought up on computers and the internet. It's not very hard to find an accountant, or secretary, or VP of sales, etc. who are tech-savvy enough to not open up your network to outside attackers every time they're at a computer.