Yep.
But almost ALL of break-ins will be self-inflicted. In 99% of the cases I have seen, the operator gave permission to be infected. It’s nearly impossible to get around that problem.
Correct. Social Engineering. There is no technological fix for stupid behavior. Not meant as an insult, but if you don’t understand what is happening ask for help. I’d much rather spend a few minutes with my clients explaining what they are seeing and making sure they do not get infected than hours cleaning up behind an infection. Even though the latter puts more money in my pocket.
Current computer protection is very good. Witness the fact that the bad guys have mostly resorted to social engineering and other behavioral methodologies.