Security training is a necessity, but its almost always done incorrectly. As much as it shocks us there are still hordes of workers who have no idea what spearphishing is or why anti-virus doesn't wholly protect their computer.... My belief is that once a year and at start date of the employee you have an online brief going over basic security/what to look for, reinforce the fact that the network and individual systems are monitored and let them know what the penalties can be for not practicing what they are learning. You make it so you have to click a question every 2 or so slides so they cant just click through and then the kicker is if they dont pass they dont get to take the test again. Everyone who fails has to go to an in-person briefing with security and corporate leadership.... Guarantee more attention is paid to the content when the possibility of looking like a dummy in front of the bosses is there (and yes I know the bosses will probably fail too...)

And of course everyone should agree better security implementation within systems, networks, apps, processes and etc... should be accomplished. Thats a no brainer. But by no means should we just disregard trying to ensure the user base who has never heard of half the shit talked about on Slashdot have some kind of basic knowledge of what can go wrong when they open up furry_kittens.flv on their work machine...