Microsoft has been working to make security patches easier for users to apply, and I think Windows Update does a pretty good job when configured properly. However, this article over at Wired points out that some worms are being passed off as patches from Microsoft.
To protect users from their own carelessness, I wonder if it might be appropriate for Microsoft to offer a more idiot-proof Windows configuration option. An idiot-proof configuration would run a firewall and virus scanner by default, apply Windows Update security patches daily, and make opening email attachments all but impossible. Of course, such a configuration shouldn't be a Windows default, but it might go a long way towards protecting users from themselves.