While I generally agree, I think it's a mistake to blame users for the fact that any PC software they want to even try is given rights to fully hijack their machine and muck things up. (Yes, it's a lesser issue on the Macs, but as you note: it's still an issue)
On a tangent, why aren't more Linux installs (outside of 'live' distros) making use of UnionFS? That makes it easy to 'lock down' the base install because all of the writing goes to a separate partition that could be completely removed to restore the original state. Are their performance issues with UnionFS (performance in a desktop-sense, not in a server-sense)?