I'd say that the main myth of security is that its going to work if people have to think about it. It needs to be completely transparent to the user, which means that some things need to be changed or rewritten. People having to run Norton AV or Internet security, adaware, spybot, set security settings, or even click allow 300 billion times(I'm looking at you MS) just isn't going to cut it. Most users don't have the patience or knowledge to secure their boxes
/. not withstanding. Hell most windows users wouldn't ever patch their boxes if it wasn't for the auto update system, I certainly don't expect them for example to turn off windows messaging(although MS may have released a patch that fixes that).