It is the responsibility of the user to understand how secure the product is and make sure that the security of the product matches up with the desired security of the content they are trying to protect.
I agree.

I tend not to look at the protections provided by M$ as the end all (imagine that). It's just naive practice. But, if you look at it as an additional layer, it's certainly has merit. Security, after all, is something that needs to be dealt with in various layers. Obviously, if somthing is worth cracking, it's worth the consideration of multiple security layers. Using the password feature is a good (not to mention minimally intrusive) added step.