There's an old saying: "When all you have is a hammer, everything looks like a nail." The corollary of this is that when you're really up against it, you will use whatever is to hand to get the job done. Being in a firefight in Iraq qualifies as "up against it" by most definitions, but there have also been some interesting IT security lessons from the current conflict.
The watchword of many military operations these days is "situational awareness." My military friends define this more succinctly as knowing when to duck and which direction to fire. In recent years, there have been many attempts to improve situational awareness with the use of appropriate technology.
Surprisingly, in a recent review of new equipment fielded in Iraq, one of the most popular items (second only to the improved SAPI body armour) was a computerised system known as Blue Force Tracker, or BFT for short. For historical (rather than party political) reasons, the Good Guys are Blue and the Bad Guys are Red. BFT is a PC-based communications system that allows the Blue forces to know where their friends are, the primary motivation being a reduction in "friendly fire" casualties. It does this job well, and has undoubtedly saved lives.
Almost as an afterthought, BFT included a simple, text-based email capability. This turned out to be its most popular feature. BFT communications don't require line of sight, unlike most of the secure communications systems currently fielded. Stopping to set up the antennas required by the secure equipment tended to attract enemy fire, and such "bullet magnet" systems don't have a long working life. In many cases, BFT was the sole method of communication between combat units.
Unfortunately, BFT in its current form does not provide secure (in the military sense) communications. But if it's a choice between testing the new body armour or being written up for a COMSEC breach, you can imagine the priorities of the soldiers in the field.
Even in the relatively peaceful corporate world, the same sort of problem occurs. Take the common bugbear of USB memory sticks, for example. Most people using these to inadvertently breach security are not doing so intentionally, they're just trying to get their job done. The same applies to using unencrypted email and home machines for sensitive company material.
If people have access to functional, but insecure, systems and the pressure is on, corners will get cut. If there aren't any nails, you should hide all the hammers.