Point by point:
#2: Many of the attacks use Zero-day exploits that are not public knowledge.
#4: See #2
#5: If you have more than 1400 servers there will be some that are vulnerable and when that happens they get one door they need. Hopefully it is just some departmental webserver so the scope is small but they almost certainly now have at least the first foothold they need to grab some accounts and move from there if they don't have a Zero-day exploit they can use.
#5 (2nd #5?): What they get is the SAM database which is hashed using NTLM so it is vulnerable to rainbow table attacks.

So for it to work you just need:
1) An exploit not publicly known that allows remote code execution or elevation of privilege. There is at least 2-3 of these a month
2) Compromise a departmental webserver/app server and start working backwards.... Eventually you will get more and more accounts until you get something interesting. At the worst you have mapped a typical server and know your attack surface. Maybe they run Tivoli? So scan specific hosts for Tivoli vulnerabilities but do it slow so it isn't seen by IDS. If they run Symantec AV use the exploit that is out right now to get on a privileged system...

So obviously it isn't as hard as it first seemed and it isn't a matter of incompetence with large companies there are simply too many possible ways in. Your best defense is a layered one with a lot of monitoring of your logs and IDS sensors to watch for things that look unusual. Baseline your traffic so if you see a large upload over https to a server in a weird location you can flag it! It might be your SAM database going out the door...

tl:dr: In a large company there are a lot of ways to get in, if you think you are safe you are lying to yourself.

The categories that are blocked should come from the "Business" side and not from IT except maybe sites that cause operational impact. What we do is assign owners for the block categories and act as the liaison to them when someone wants something unblocked. For example:
Pornography - Human Resources
Social Networking - Human Resources
Guns and Violence - Corporate Security

etc...

In our case IT only owns the sites flagged as malware and excessive bandwidth.

So when someone sends in an email asking for access to Facebook we ask them to complete a form, we then take this form to HR for review. The reason we take it and don't tell them to take it to HR is to allow the block owner to make the decision outside of the scope of politics and without the anger many employees sling. You have NO IDEA how angry people get when something they want to get to is blocked even if the block is completely reasonable.

IT is there to enable the business to operate so they need to tell us what they want to give people access to.

Let me answer your points directly as someone who has been doing some POC's of thin clients in a large (40k+ environment)

1. it simply switches the cost of the workstation maintenance to the back office as you need an immensely powerful data centre to drive thousands/tens of thousands of these terminals;
True except it is always cheaper to manage and maintain those systems than desktops. We know per unit how much each desktop costs us to manage and maintain and we also know the same information for our big-iron boxes and Citrix farm and it came out that if we could serve 20 users per server it was a large cost savings and it helped with support. We even got savings at 10 per

2. you still need a service desk as most requests we get are for new employee accounts and handling typical release incident;
You need this now anyway in a large enterprise environment and you now need less deskside people and remote support is easier.

3. people want to stay competitive and having a one size fits all typically prohibits one-offs, even if there is an obvious advantage;
Not if you do VDI which means you deliver a full desktop to the users

4. problems affecting a cluster will affect everyone so you still need backup PCs for critical service delivery.
No you just have a multiple deployments and redundancy. In most large corporations most apps are client server (Regardless of if that is a fat client or web client) so there is experience in making systems redundant.

Does it work for every user? No but it does for most, the challenges are:
1) The initial cost of deployment
2) User and business acceptance

If you can solve those issues you will experience year to year cost reductions.

In general I love it, especially since in IT we tend to easily work 9 hour days. A few drawbacks that in my mind are minor compared to the benefits:

1) Some people will abuse the system and will still put in 8 hour days and take the off-friday off. If you are a good Manager or have a good team this won't be any more of an issue than any other issue.
2) You will find that you will often not get the Off-Friday completely off, in general I work 2-3 hours every off Friday.
3) 9 hour days can be a bit tougher until you get used to them
4) If it is just your group that does this it will fail miserably, either the entire company does it or none at all.
5) As a manager you need to arrange coverage. On a smaller team many people will fail to get a complete off Friday if they are on-call etc.. You can do alternating Off-Fridays but you will find that it is tough since many people will expect everyone to be there on an "On" Friday.
6) If you outsource parts of your infrastructure they may have issues with your lack of availability on off-fridays and the outsourcer may use that to extend tasks due to it. Or they may get more done since you aren't there to hassle them ;-)
7) A lot more work is crammed into the first 4 days of a week. At times Monday through Thursday can seem hellish.

I have had this schedule over two employers for a total of 5 years and I would HATE to go back to a normal 5 day workweek. The Off-Friday helps keep me sane and allows me to get things done that I can never do on weekends due to family and weekdays due to work!

The sentence above that also says:
""This suite is up to now still vulnerable to many potential malware attacks," they wrote. The OpenOffice.org team has already fixed a software bug discovered by the researchers, and the two groups are in discussions about how to improve the overall security of the software."

So the important issue was fixed and now they are discussing how to improve security overall, it sounds to me like they handled it perfectly.