I also blame the idiot users who don't think twice about phishing attacks, replying to spam, or installing that ActiveX script because they think they need it to browse a website.
They think security is someone else's problem. That attitude has to change.
That is a corporate mentality issue.
The first thing that needs to happen on that front is that the folks at the top need to grow a set and lay down concrete rules about such things that carry concrete penalties if violated.
I know this sounds harsh but once you've spent 72 hours straight cleaning up the worst of the problem and weeks afterward catching the stragglers you begin to understand the financial cost of being so lax.