Yes, and the naive users are typically the ones who are successfully infected.
The realm of the naïve is all about us. It includes everybody from all walks of life - including Admins with years of solid experience.
I am sure they will allow the macro - add some social engineering for the cherry on top and the likelihood of a successful infection is even higher.
It doesn't even matter if a macro is required. If they are willing to download a normal Win32 executable and run it (leading to infection), what makes you think they won't open the document and allow the macro?
More and more commercial users are disabling all macros by default - or only allowing audited digitally signed macros. In other words, remove the macro attack vector from the naïve users' hands.
It is far, far easier for a home user to protect their system using default-deny than an enterprise. And the home user can make their system far more secure with a little bit of effort.
To almost a complete extent, those that want great security don't complain about the usability of default-deny and heavily restricted user access\privileges.
There's a lot of reasons that Microsoft includes software restriction policy protections in their enterprise products for decades by this point.
It just takes a bit of effort and patience to explain and teach the naïve.
The bottom line is that simply installing security softs never has been and never will be enough.