An important caveat to this line of thought is that GOOD education DOES work to prevent risk behaviors.
A blanket 'Just Say No' campaign like the one ran by Nancy Reagan in the 1980s did more harm that good because, when a lot of the kids had it force-fed to them for a decade grew up and discovered that marijuana didn't immediately kill your or turn you into a junkie, many of them threw out the entirety of 'Drugs are bad, m'kay?' and went on their merry way destroying their bodies with harsher and harsher drugs.
However, kids who had explained to them what drugs really did to a person's body and which drugs were more addictive and which drugs were less were, and are, less likely to actually do those drugs.
The same is true of sex education. It's been shown with frequently tragic consequences that 'Abstinence Only' education usually makes the teen pregnancy and STD situation worse in places where it's taught. However, more complete sex education that explains pregnancy, STDs, and all the other associated risks that go along with sex causes a notable decline in teen pregancy, STDs, and an actual increase in the average age at which teens start having sex.
I have found the same line of logic to be true with IT security. If you make a point of explaining the whys and wherefores, perhaps going so far as to make an interesting, engaging education program, the people who are your 'risk vectors' decrease, as do the number of security incidents you have to deal with.
No, you never can completely eliminate the problem. However, by offering education that is interesting, complete, and that doesn't treat the recipient as an idiot, you can dramatically reduce the problem.