Being that this was a Java exploit which required a visit to a website at the least, I would say that those that got infected have more time on their hands than they know what to do with.
Security starts and ends with the user. If someone gets a virus, it is most likely that they do not care, are not paying attention, or are clicking on stupid links that go to stupid things that are not related to their work duties.
Corporations have yet to learn that training is required (less than 30 minutes to show someone the tricks to look out for), and an actual damage assessment and punishment system in relationship to breaches.
Sure IT may get an increase in calls at the start, but it is worth it in the long run.
Would you uses a bank that did not take security seriously?
Yes, because NON of them have adequate security for their customers. They protect their own servers with billions of dollars of protection, then let you pay by waving a card in the air or *shudder* sending a text message.
There is never time to do it right, but always time to do it over.