Re: NOT only Open Networks
WPA/WPA2-Enterprise is vulnerable to this kind of attack if the client is not properly configured. Assuming you are using a sensible EAP type (e.g. EAP-TLS, PEAP-EAP-TLS, PEAP-EAP-MSCHAPv2) you will have some form of mutual authentication. A bogus RADIUS server can very easily accept any connection, however the client should only connect to the network once it has confirmed that the SSL certificate that the RADIUS server has provided is signed by the expected certificate authority. In an Enterprise, this would normally by an Enterprise CA, but it could be signed by a public trusted CA so the client can and should also validate that the common name in the RADIUS server's certificate matches what it expects.
The problem is that a lot of people who are unclear on how SSL/TLS works (or are lazy) go and disable this validation in the connection settings for the SSID because it's easier than all that tedious faffing about with CA certificates and heck, we just want to get the device connected, right? It's scary how many "idiot's guides to WPA Enterprise" actually tell you to turn that check off!
For laptops that are members of an AD domain, the administrator can force the correct settings via Group Policy (and prevent the user from modifying them). For mobile devices, it is not so easy to enforce.
Combine this with the PNL implementation issues or hiding the SSID (yes, people still do this!) and your client will sit there sending probes out advertising "please can I connect to this SSID, please, pretty please" - practically a hacker's charter.
To what extent is this actually going on in the real world...very difficult to quantify.