Re: I think the real reason PGP succeeded...
1. Realising you had to pay for your encryption key, and CAs were going to shake you down
You don't pay for the key, you pay for a certificate.
The trouble with the PGP approach is that in order to know that you can trust someone's key -- that is: be sure that you have a key that really belongs to the person with whom you wish to correspond -- you need to get the key from someone you both know and trust (that may be a keyserver, or may be an individual). That's often not a trivial task.
A PKI system (a la S/MIME) relies on keys that are signed by entities that are generally (rightly or wrongly) regarded as trustworthy. These Certification Authorities are well-known, and their own keys are easily looked up (or are already known because they are distributed with your browser, etc). The key certificate tells you who issued it, so you only need to verify against that one CA, rather than consulting half the PGP keyservers on the planet until you find one that has the right key.
Yes, these CAs tend to be commercial entities who ask to be paid for issuing a certificate. Some certificates are issued with no guarantees, and they tend to be (fairly) inexpensive, other certificates come with financial guarantees of protection against fraud if the certificate is relied upon (backed up by insurance policies, for which a premium must be paid).
It doesn't have to be that way. There are many entities one deals with on a regular basis that have an interest in being able to communicate securely -- your government, your bank, the Post Office, your employer -- and any of these could issue certificates for their own convenience and that of their correspondents.
Imagine: Your national ID card (OK, we don't have those in the UK, but just about everyone else does) could contain a security chip that could generate a private key securely on the card. You could send the corresponding public key to HMRC or the DHSS or whoever got the job of managing secure communications with the public and they would send back a certificate that you would store on the card alongside the private key. Whenever you wanted to send a signed or encrypted message you could insert your ID card into a card reader connected to your computer, enter a PIN (so only you could use your key) and the software would so the necessary.
The technology is all there ... there just aren't any public service CAs (probably because government doesn't want us to use strong crypto)
2. A key which expired every 6-12 months and had to be replaced
It's a good idea for keys to have some expiry date, so that they become invalid before the technology/key length becomes too easy to break. The validity period shouldn't be too short, though, that is just CAs milking the system.
3. Abysmal integration in email products. Support in Outlook/Outlook Express/Netscape was bugridden & barely usable through lack of testing.
Microsoft never really understood security -- I hope they're getting better at it. Good integration of security into products won't come until security is seen as a basic function for everyone, rather than a tiresome add-on for the few.
Hats off to Phil Zimmerman for producing an encryption system that worked within small communities without an infrastructure to support it ... but for widespread use the infrastructure is necessary.