Bruce Schneier talks about some strange security practices at British Airways. When I've booked personal travel with them to the US in the past, they've always sent me an email with a link in it. Clicking on that link would allow me to update various aspects of my booking without further authentication. I'd always been concerned by this but the sheer convenience of it always won me over. That, in a nutshell, is the problem with security... users prefer the short-term gains to be had by removing it.
As Microsoft are discovering with their current Vista betas, optimising both for security and ease-of-use is HARD.