b) Phishing not really covered enough. I think that this is one of the major (MAJOR) problems that larger companies have security-wise. It's not that the IT guys aren't setting up firewalls properly, but rather that some marketing ding-dong is voluntarily giving away his passwords.
c) This is related to (b), but social engineering, much like phishing, is a bigger problem than "iterating attack patterns" (yawn). The run-of-the mill non-techie people need to be educated and trained into how to be vigilant and security-conscious. You can do all the drills you want, if Bob from accounting simply hands over his credentials to bad guy X, it's all for naught.
I really do like the anomaly awareness idea though. I think that might even be a great start-up idea. Have a service that logs "anomalies" -- it simply does statistical analysis on various information (like login patterns), and when something "weird" happens (i.e. exceeding some set deviation), it alerts the security people.
The problem is the less than stellar sandboxing which allows non-high-grade software of dubious origin and function to run arbitrary code via the plugin on the underlying system. That puts it somewhat outside the spectrum of damage the typical XSS or HTML injection does; usually phishing or session hijacking.
Maybe its disliked by start ups running the latest and greatest flavor of X, but enterprise isn't letting up any time soon on Java. Especially if there already using Oracle and its not easy to get rid of legacy stuff that costs money to rebuild. There are also people who adamantly protect the legacy stuff because that is where there job security lies.