Could it also be that because this forum is security focused that we tend to have a hypercritical view of the shortcomings within our organizations? Or is everyone else out there in the corporate world just blind to the threat that is out there? Perhaps the truth lies somewhere in the middle?

In the end I'd put my vote down for placing more emphasis on actual security rather than enforcement. Human behavior has a long-term history of disobedience when dealing even with the simplest of requests. (Why do we speed on the freeway even though we know it is dangerous)?

There is no substitute for real-time, proactive security measures. Ignore this cold, hard fact and you'll have to play damage control soon after. Perhaps this viewpoint is rather cynical, but better safe than sorry when protecting your infrastructure.