Ray Ozzie has a piece about Security and User Interfaces:

" It's not the individual's fault! It's up to us - the technology industry - to create systems that are complacency immune - that are designed to be complementary to the way that users and administrators really act. ...

No, it won't be perfect: this is all about risk management. You can't control how people behave - so create an environment in which they do the "right thing" naturally. "

I agree whole heartedly. It needs to be natural to use a program securely. The minute you introduce extra steps it starts to be a hassle for the user and they wont do things securely.

Mark O'Neil writes in his weblog about his experience demonstrating secure email.
If a governmental wished to limit the use of strong encryption, a good approach would be to plant lousy UI engineers in the security departments of messaging companies, to ensure that the process of setting up encrypted and signed email is as confusing as possible.

It's not just day to day usability thats a problem, but also how easy is it to setup. In this respect PGP is way superior to any of the x509 based systems. Just attempt to get a certificate for your outlook mail and you will see why no one does it.