Misplaced Blame and Due Diligence
Adobe is NOT the problem. When you get right down to it they have provided a great deal of control over security via the UI (acknowledged) and registry keys - but most people (sys admins included) usually use default software installs and rarely customize user software settings.
Instead we rely upon boundary firewalls in hardware/software, use IDS/IPSes, install anti-viral/anti-spamware. Our networks look like a scoop of ice-cream covered in a semi-hard chocolate shell, even if there are no openings, the shell is crunchy and thin with a soft and mushy interior. Once inside the "walls" malware frequently runs rampant.
Sometimes we can be our own worst enemies.
Let's stop blaming all the vendors, there has not been a piece of code written to date (Apple included) that does not have deficiencies. Face it, the stuff today is too complex and too large to be flawless, it happens. And the more you tighten things up the harder the system becomes to use. The best you can do is to perform due diligence given the acceptable level of risk for your organization.
Furthermore, I think a carrot/stick approach should employed - shameless plug for all of us. IT is rarely rewarded for "keeping things up," businesses should provide incentives for keeping systems "healthy" and available, write those into a KPI/contract. And proportional penalties should be meted out to those responsible for malware, e.g. if you infect 100,000 PCs, you get charged with a 100,000 counts of trespass, data-theft, etc. and are looking at serious time.
Steve