Here's the real version of that conversation:
"So what's wrong with it?"
"You have the latest flash virus. Have you opened any Word documents lately?"
"Of course! I use Word all day."
(scans hdd, finds the one in email that started it)
"Did you open this?"
"Of course I did. It's the weekly report."
"Didn't it WARN you there may be a virus?"
"I'm pretty sure it popped up and warned you about the security implications of opening documents containing flash applets from untrusted sources"
"What does that mean?"
"It means it warned you about a possible virus"
"Oh, well stuff pops up all the time and I just click OK so the computer will work. Sometimes it pops up again so I click Cancel"
Users are bombarded with dialog boxes, permission boxes, info bars, tray notifications, software update notifications, and so forth all day long. They don't read them, they just click YES/OK. If it pops up again, they try CANCEL (even if the text is different - remember they don't read it!)
That's why IE's ActiveX scheme was a massive failure - it relied on users to know what ActiveX was, know what digital certificates were, then make an informed security decision for each and every control that wanted to install. Even if the native code execution wasn't a huge hole all by itself the whole scheme is a massive failure because most users don't know what ActiveX is, wouldn't know how to verify a certificate if they wanted to, and can't control what the control does after it's installed.
This is also why Android is a huge security fail. It relies on the user to understand what the permissions mean and what the consequences are at the time of install. Even if you understood exactly what those 18 permissions were (including scrolling down to expand the list and finding identically named permissions but with slightly different detail text under them)... you can't enable-disable them if you decide the app shouldn't have some of them. Should App X be able to modify or delete USB storage? maybe... depends on what it wants to do! Should it be able to make phone calls or send text messages? Maybe... too bad you won't be asked about it when it signs you up for $9.99/mo SMS services. What about manage accounts? Maybe the app wants to legitimately manage accounts... or maybe it will delete your entire google account. Who knows, but you sure won't be prompted about it.
Any system that relies on the user to make potentially dangerous security decisions is an automatic failure; doubly so if the decision is irreversible and persistent for all time (which covers the vast majority of security systems in use today).
I'm almost certain that in the future we'll grant permissions to different apps and websites by answering at the time the app wants access to the resource, not forever. Further I think the system will want to keep a history (think git, but for the entire filesystem), allowing you to effectively "roll back" a bad security decision. That probably means browsers and apps all run isolated in their own OS-provided VM/sandbox and all sharing or filesystem access routes through the version control system.