This is very disturbing. If alleged professionals running a high profile web site have a 20% failure rate, how can the security community expect the rest of the world to do any better?
I remember years ago reading about an e-mail virus (Beagle, often known as Bagle) that was infecting a lot of computers. When the big-name e-mail providers started scanning for and deleting the messages, the authors switched to a novel approach: The virus e-mailed an encrypted zip file containing the malware, placing the password and installation instructions in the body of the message.
The virus kept spreading rapidly despite the fact that people had to manually save the attachment, unzip the encrypted contents and deliberately run the malware.
At that point, I became convinced that a certain percentage of the population really is dumb enough to do anything a random e-mail message tells them to do. There doesn’t exist any cybersecurity product that can protect a computer against that level of stupidity.
Back in college, a big joke was the “manual virus” which tells you to forward the message to everybody in your address book and then reformat your hard drive. I don’t think jokes like that are funny anymore.
Update: I was able to identify the virus in question. I linked to a news article (from July 2004) about it, above.