Mark McDonald wrote a great post on his GartnerGroup blog about security that you must read: Security is personal and professional more than technical. The money quote for me is:
Security is an asymmetric game from a technical perspective where the attackers will always have the advantage. They have the advantage because there are always more attackers who collectively have more resources than the single company seeking to thwart their attempts. Yes each attacker may be small, but that is not always the case given recent stories regarding attacks on email systems.
The only way a company can start to address the imbalance is to change the game from many attackers against a single company, to many attackers against every person in the company. Mobilizing and reminding your people about their role in security is not a technical issue. It is a personal and professional issue.
IT definitely has the responsibility to do all it can to address security vulnerabilities but all members of an organization must be responsible for the decisions they make daily. Behavior is just as important as technology.