Quote from a security researche regarding Joe Public’s inability to spot holes in Android apps:
“About half of the participants could not judge the security state of a browser session correctly.”
well duh. Why should they have to? People have better things to do than self-train as it security experts. If IT was secure by default, then everything would be much simpler.