There is a what I consider to be a great look at Microsoft's big security investment into Vista and it's "pay off" on InfoWorld - read it here. I generally find these types of write ups to be barely worth the time reading, but his article is dead on the mark, IMHO.
The gist of the article is that Microsoft put a lot of time, effort, resources, and marketing behind the security push for Vista. In many ways, it had to be done. But the fact remains that all of that investment has meant little for Microsoft as far as users reaction to and adoption of Vista.
I have seen this phenomenon first hand at the grass roots level. It's a classic example of "good enough" in action and something that is completely ignored by the Microsoft security zealots. Yes, I will call them zealots. I think security is important and needed to be improved, but it is not what defines a successful product for the computing masses. This is something that the security zealots (both inside and outside of Microsoft - the "Linux is better because its more secure" crowd is a another great example) seem to miss.
For Joe Average User and even Joe Average Developer/Geek, security is something they want and expect, but it is not something that makes them want to rush out and buy a new product. During the bad years of Microsoft security problems, Linux did not take over the desktop even though it was more secure because it was nowhere near as usable or convenient. Volvo is a good example in another industry. If people cared so much about safety (in this case a form of physical security), Volvo cars would dominate the roadways. But they don't, and that is but one reason that Vista has not captured more hearts and minds. Security is boring, and "in your face" security is down right annoying. We all want to be safe on airplanes, but we all hate the security lines and the "3 oz max in a plastic baggy" checks.
Do not mistake my statements here to mean that I do not think security is important. Or that Microsoft should not devote time and energy to making all of its products as secure as possible. What I am saying is that security does not sell, and it never will in most markets. Lack of security will absolutely kill sales, but making security a primary selling point or feature is not good for the mass market, in general. Yes, there are exceptions to the rule (servers, certain vertical markets, etc.), but in the case of the mass desktop operating system market, I think it has been proved many times over that security is rarely a deal maker but often a deal breaker.
Security appeals to a very small subset of the population, both geek and non-geek alike. The organization I am part of in Microsoft has had a big security push over the last few years in so much that we had to talk about security all the time. To the point that it was mandated that you have security slides in EVERY presentation (and as far as people know, I did - lol). We had entire sessions devoted to security topics. I laughed/argued about that effort from the get go. You can't jam security down peoples throats - they either care or they don't. Sure, you may affect change in a person or two along the way, but at the expense of boring the other 99%. I am very pragmatic in my approach to what people want to hear about, and more importantly, what they will be interested in. Security is not it 99.9% of the time. When it is relevant I included security info, but if you are talking about a basic intro to Windows Workflow and then slides on Windows security or what not suddenly show up, its more of a distraction than anything else.
Other examples? I have had a grand total of three, yes three (unless I forgot one or two) customers ever ask for a presentation on developing secure code and applications. I had about the same number of takers when I offered to do sessions on developing secure code/applications. Remember, this was over a couple year time period. Any time Microsoft put on sessions that had a security theme, attendance was down compared to other topics. If we used a ramrod and slipped security stuff into topics that were primarily not security focused, we often saw lower evaluation scores (not always but often enough to be noticeable - the last official "DevDays" anyone????). If people that develop software are not interested in security, how in the world do you think people who just use it will be?
Security bores people, and to spend about a third of your value proposition telling people that Vista is the most secure operating ever from Microsoft is not going to enflame the desire of computer users world over. Even more so when that really is one of the things that makes it "different" compared to its competition and predecessors. If anything, it raises more red flags than not since people immediately become suspect since what you are essentially saying is, "we told you the OS you had before was secure, but now we are saying this one is even more secure, so the one we said was secure really wasn't all that secure. But you can believe me this time." Ughhhhhh. Apple does not tout the security of their OS as a key feature. It's almost slipped in there as a simple statement while they talk about all of the other things their OS offers. Sort of a "it does this, and this, and this is really cool, we have really good security so don't worry it, and oh, check out the great performance...." That is how you market security; you don't - it just is. Sure, Microsoft may have needed to make it more of a point than Apple or others due to past track record, but you do not lead with it. You don't make it one of the CORE marketing value propositions. I have yet to have a single family member or friend say "gee, I really need to get that Vista OS because it is more secure." Nope, not once.
I understand that in light of the wave of security issues Microsoft had while Vista development was just getting started (ahhhh, the heady days of Longhorn and when it really was cool), Microsoft had to do something fundamentally different to address the issues. By the time Vista shipped, however, Windows XP SP2 was recognized as a much more secure OS than it had been, and for many, many users, it had reached the "secure enough" stage. Heck, there was not a massive rush to deploy SP2 in enterprise customers' environments despite the obvious security benefits! During that time though, the security zealots had sacrificed usability, performance, and ground breaking feature development time on the alter of "security security security". I am not saying security should be sacrificed to achieve some feature. And in the server world, it absolutely is a selling point. But at the same time, the other factors need to play an important role. It is a difficult balancing act. It can be done. Microsoft must find a way to do it moving forward.