First lets talk about Hotmail. Hotmail is a MSN member. This is Microsoft. Microsoft should be instituting policies and mechanisms which encourage, aid, and teach the user how to make proper use of the security settings inside of their web browser. Just to get Hotmail working I had to tcpdump the packets going through one of my intermediary systems and then see who was being called. I knew I had typed hotmail.com, and the Hotmail login page redirects to passport.net--but who would've known that one also needs to add passport.com to the trusted sites list? No where, except inside of the tcpdump log, did I see a reference to passport.com.
Therefore, MS and the big corporations create their own security problem. It isn't the users. It is solely the fault of the people who oversee the corporate framework of the internet.