So what? Users are just too lazy - make them pass a test!
Most users just can't be bothered to use the simple security they already have - ahem there are a few above even amongts the hallowed realms of the El Reg community.
Basically, security =work. It doesn't come free, even if you don't have to pay cash up front, you'll need to pay in time spent "doing" the security.
A good rule of thumb is that the more effective the security measures the harder it is to use the things you're securing. The "easiest" security is often overlooked / ignored by the user because your average 'puter punter just isn't bothered / educated enough even to use the basic security features their OS and software already offers.
Going from the most basic:
PW protecting OS access / hardware access</li>
Once the OS is running, have a different user account for each user and enforce use of these with a decent PW policy (and remember any password is better than none).
Logout / lock the OS whenever you leave the machine - it takes 2 secs max. There is no excuse for not doing this - especially for the more techie amongst us. Leaving your desk? Lockit. At least use an automated screenlock.
Use a browser that has usable secuirty options including a Master password for saved pw lists.
I also think it is an issue that Chrome doesn't offer a Master pw feature, but every user has a responsibility to educate themselves enough to safely use the common web tools, even though this is not very straightforward for most people.
Whose job is it to educate computer users about using sensible security measures for all their PC activities?
Given how much of our lives are dependant on and conducted via the Internet, and the fact that Government is now forcing us to use it to interact with it's various departments, we're probably at the stage where some kind of compulsory education is in order
Maybe the long forgotten computer driving licence should be brought back, to lfe, and only those who have "passed" should be let loose with a "proper" PC which you set up and configure yourself.
All those unable to pass the test should be only allowed to use a special, "authorised" pre-configured device designed especially for Internet "Learners".
Maybe that device will have a real, proper physical key they have to insert in order to use the machine, and maybe they have to turn the key if they want to do anything at all risky. And it should come with a lockable paper notebook to write all the passwords in.
Er, that's it.