I thought about users and security a lot over many years...and I gave up on end-users. You, of course, cannot.
How many, 1 billion PC's worldwide? 100s of millions financial transactions every day. It is a miracle that so little is compromised! On the other hand, you can buy (in a couple hours, every time of the day) DVDs full of legit credit card numbers and other relevant data, if you know the sources.
End-user security will never improve, because IMHO we cannot show the users pictures of rotting carcasses or dying baby seals ... something to make them more aware, more cautious BEFORE something 'bad' happens, they lose their money or ID-theft. Who uses PGP? Who checks his own passwords with password crackers? Who encrypts his emails? Last time you updated your Key Fingerprint?
My concern is more on the company and government side. The recent New York Times article that explained how the Google Hack was possible (including the usage of Microsoft Instant Messenger and a click to a link - ah, ActiveX Controls) made me shiver.
Your company is as secure as your dumbest employee? But who was the real risk factor? The guy that clicked? The supervisor, that did not explain, not to use such a thing? The CTO who had no policies in place to explain the risks to the employees? etc... who's fault is it?
Blackhats who are after individuals are not my concern anymore. We need to think of the Chinese hacker madras (no offense, fellow Chinese Devs), the Cyberwars that are going on right now. The daily attacks we have to deal with on a daily basis. Industrial and military espionage is real. Our technology is used in critical areas. The vulnerability is there, too. People, who work in sensitive areas need to be educated.
[Edit] Consumer world End-users? What can we really do for/about them?