It is difficult to write responsibly about security without sounding like a Microsoft-hater. The fact is that most of the world's computers run Microsoft products, so any serious vulnerability will affect a lot of people. And there are lots of serious vulnerabilities. Even organisations that keep their critical systems and data on minis or mainframes have users or customers with Windows, so they must consider the risks when the systems interact.
The good news is that Microsoft is taking security seriously - Bill Gates sent round a memo in January emphasising that security is the new priority: "when we face a choice between adding features and resolving security issues, we need to choose security." This is the approach that is needed - complexity is the enemy of good security, and no one can deny that Microsoft products are rich in complex features.
The bad news is that even with total commitment within Microsoft, it will take a long time for the benefits to emerge - the existing vulnerabilities (known and unknown) will be with us until everyone changes to use the new, safe software. Also, this may be mere lip service, designed to combat recent bad publicity. Certainly, Steve Ballmer (Microsoft's CEO) is not showing a new commitment to security, he is still repeating the "all software contains vulnerabilities" spin. This is true, but some software contains more vulnerabilities than other software. Also, Scot Culp (manager of Microsoft's security response centre) is showing a remarkably selective memory in the face of the UPnP exploit for Windows XP, saying, "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems." Perhaps Back Orifice, the Internet Explorer cross-frame scripting vulnerabilities and numerous other examples do not count. We will have to wait to see if Bill's memo is a real change of direction, or just hot air.
So, assuming that Microsoft is committed to doing the right thing on security, what do we need for end users? Perhaps it is a new definition of "User Friendly". When I invite a friend to my home, I do not expect him or her to bring a load of stuff and install a cat flap, "because I might need it one day". I would expect a friend to mention if I had left a window open, and to be honest if they have an accident in my home. So the default install should be minimal functionality - no installing a web server with the OS, macro capability should be optional in word processors and spreadsheets and so on. There should be warnings about unsafe configurations, and when fixes are needed, the users informed consent for the automatic fix will be sought. This will make computers more difficult to use, but a lot easier to use well.