It's not a question of security
It's a question of what is an appropriate level of security?
Sadly, that question very rarely gets asked. Most IT departments view security in the same way a thug views violence - if a little doesn't work, you need more. The problem is that when it's done badly, intrusive security becomes more of a problem itself than the situation it was meant to solve.
Most users don't care about security. They can't see it. They can't measure it. It doesn't make their jobs faster, easier or more efficient. From their point of view people who try to impose more of it on them are the enemy. The trick is to put the right levels of security at the right place and doing the right thing. Unfortunately almost no-one does this. We're all so fixated by the FUD/CYA mentality that we forget what our computer systems are for.
Ultimately, the only way they can be made completely safe is to lock them in a room behind a steel door, with the power turned off. They might not get any work done, but at least they're secure. What the security industry needs more than anything is a few sensible people, taking a realistic approach and finding the right balance between utility and keeping the baddies out. Not just slapping on another layer each time they read about another theoretical possibility in a technical publication.