So, we agree about average Joe, but slightly disagree about average admin.
That could be, because both me and my wife, worked with confidential data. Average admin does not have to obey security instructions.
The average Admin knows very little about security. The average Admin's objective is to just "get things to work." The average Admin works in a company with less than 100 employees. Even Admins in very large corporations lack security focus. In SMB, corporate and institution environments, the priority is that things work at the bare minimum cost over security. Security is not a priority - especially if it costs money. Going out into the field clearly shows this fact over-and-over.
Specialized Admins that are very well versed in security are rare and work in very specific types of corporate environments.
If you go into the field, you will find that the average Admin does not prioritize security.
And despite what others say, the decision makers do not really care about ease-of-use. The Admins do to an extent, but the people writing the check - all they care about is the cost. So, the bottom line is, if it costs money - even a few dollars per workstation, they ain't buying. That's reality.
The decision makers won't even hire the bare minimum staff needed to administer their systems properly. It is not unusual for a company to have only 1 Admin on staff. And that Admin is in charge of an atrociously mangled, obsolete array of hardware and software that barely works together. Or, you see the administration subcontracted out and perhaps a technician will be called only when there is a breakage.
By far the most popular Admin model is the centralized Help Desk. It's like email support with the same end-results...
This is reality.