There are many factors at play, including among them in house politics at Microsoft. In particular the fact that they don't have a central figure with the ability to dictate security policy among their product groups. A security czar if you will. Imagine if there was the equivalent of a Steve Jobs inside of Microsoft but the only thing he was worried about was security *THEN* shyt would get done.
Otherwise you have one too many individuals with "security" in their title with no ability to dictate policy in products. Developers inside of Microsoft are pressured by managers to make product deadlines so MS can show growth to the stockholders (hint: none of them are thinking about security) and the end result is nothing progressive, creative and user friendly on the security front gets done. This Dilbert strip eludes to what I'm talking about:
What's more you have individuals like the guys on ZDNet's Security blog who love to post about the latest flaws in applications, whether they be QuickTime or Microsoft Office but never point out that many of these issues can be severely mitigated by not running with administrative credentials.
The "principle of least privilege" gives you the most bang for the buck when it comes to security yet Microsoft has been woefully bad at empowering Windows XP desktop users which lead to Windows' reputation of being insecure. Many security issues that are specific to an application, whether it's IE, Office, QuickTime, Adobe's PDF reader, etc., etc. become way less interesting when you remove administrative rights.
That's why there's 300,000 viruses in the Windows universe and like 7 on Mac OS X. Because Mac OS X has never had people running with administrative rights.
Vista with UAC is a big step in the right direction. Windows 7 presumably will cache the fact that you've approved an installer to do something and let it run its course up until the process (associated with the installer) terminates. This would eliminate prompting users multiple times and annoying the hell out of them.