Vista is filled with a variety of security features that really do keep the enterprise more secure. User Account Control ensures that the user is forced to permit an application to run. It's not perfect and it can be annoying, but it does go a long way in giving users a second chance when they decide to run potentially malicious code.
At the same time, Vista security can be enhanced when IT managers simply force employees to run as users with limited rights. It effectively creates a situation where the employee can only engage in business activities and not perform the kind of actions (such as installing applications) that put data at risk.
On the browser side, Protected Mode in Internet Explorer runs the entire surfing process in a sandbox, making it more difficult for users to access system locations. That simple addition makes it easier for administrators to control how users surf the Web. They can limit the employee's ability to install malware.
Those are just a few examples of many that help make Vista more secure. But when evaluating the security of Vista, it's impossible to ignore the fact that, in many cases, it's the employee's naivete that develops into issues. No, they shouldn't open attachments on their work e-mail from people they don't know. No, they shouldn't be downloading software onto their computers from an untrusted source. No, they shouldn't be surfing to sites that contain malware. But the problem is: they do. And when they do, we can't expect Vista to be perfect and stop every threat.
So in the end, we need to look at Vista for what it really is: a piece of software that, while not perfect, is better than the critics say. And in the enterprise, it's still a good choice.