Security training: should we give humans a break?

Cryptographer Bruce Schneier once said, "only amateurs attack machines, professionals target people" and yet how far should we be blaming humans for the breakdown of our cyber security?