The fallibility of technical controls

A piece apparently due to be published in Computer Weekly next Tuesday outlines a range of network security issues relating to mis-configuration of IT equipment, and then (almost as an afterthought) ends with the following:

"... security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites. And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information."

The fact that IT systems and networks are misconfigured by people surely implies that security awareness programs need to include IT professionals?
More on network security and security awareness