This is pretty much the problem with most modern IT security.

Obviously there are many sources of insecurity that can be introduced into any system. Incompetency perhaps being one of the leading. Security by defaulting is a safety net for incompetency. Not infallible, but what is?

I expect overtime smarter defaults to be shipped. However there is a real balance that needs to be achieved between usability, functionality and security. The reason for instance that Windows has so many things enabled is because many users have no idea how to enable them! To ensure everyone has a fully functionality system they are switched on by default.

Unfortunately it was decided that the security implications are secondary to functionality. It's not necessarily a stupid decision, its just one which results in greater likelihoods of insecurity. The Windows philosophy values functionality above security. The OpenBSD philosophy values security above ease of us, which has a two fold effect of being secure by default and of increasing the chances that the user is naturally more competent in the first place.