I wonder if there are a few of issues here:

1) How many administrators are under the impression that spyware can only be dealt with on a computer-by-computer basis? That is, they are unaware that there are products out there designed to deal with spyware before it hits the user.

2) And finally, how many administrators believe that spyware only tracks things like where you go rather than taking over a machine (ala trojan).

It wouldn't be surprising that few implement even simplistic fixes for IE on their users machines. The idea that it takes too long often seems to override the security need. And yet, time and again, it's been proven that implementing most security measures reduce administrative time.

Interesting none-the-less. We probably won't see major shifts in this until AV manufacturers include it as part of their products (I'm surprised they don't) and/or until there is a major public breach based on spyware.