"There is a ton of evidence both in computing and outside of it which shows that poor security can be very much worse than no security at all. In particular stuff which makes users think they are secure but is worthless is very dangerous indeed."
I think Alan is smoking crack here.
It's not a problem of an imperfect security framework (nothing is perfect). It's a problem of ill-educated users.
For desktop users, having a security framework that is good enough to fight off most of attacks is far better than having nothing extra to protect you.
An example of poor security is anti-virus software.
It really doesn't offer real protection. It offers minimal protection from random script kiddies, but offers nothing to prevent a targeted attack(the attacks you actually have to worry about).
But users don't understand this so they will still run random attachments in their email, believing that the anti-virus will save them.
It all stems back to user error.
Give a child a toy gun, they have fun. Give them an AK, expect deaths.
It might help to read the full email linked above. In the next sentence, Alan adds, "when you know that security is limited you act appropriately, when you believe security is good but it is not you take inappropriate risks and get badly burned."
You should read the entire thread instead. What Alan said exactly backs up my claim that it's a user education problem, not the (imperfect) security solution's problem. Whatever security solution a user uses, he'd better UNDERSTAND it. That's exactly why usability is as important as anything else in a security framework: if it's hard to use or understand, it's likely going to cause more problems than it solves (e.g., SE Linux?).
I like the other much better: perfect is the enemy of good.