I have to agree with TigerShark:

Er.... Isn't the "flaw" the user himself????? I mean c'mon.... If you don't know what the cmd prompt is what could possibly be so important as to coax a user of this level into following the instructions without suspicion.
I mean, is it a problem that the EXE attachment will run from a command prompt without consideration for its alleged security level? Sure. However, the users dumb enough to do that don't even know what a command prompt is or how to find it. If a piece of malware actually walked a user through moving the file to execute from a command prompt and how to do it and they follow those instructions and get infected they should just be fired. There is nothing a security administrator, technology or policy can do against stupidity of that degree.

I also liked the quote from Pooh Sun Tzu:

The Tao teaches us to not act until others require us to act, and to not learn unless others require us to know.
I have a new book by Richard Bejtlich called The Tao of Network Security Monitoring: Beyond Intrusion Detection that I haven't had a chance to look at yet. I like the philosophies behind Buddhism and the Tao although I understand they are separate and unique philosophies.