Amusingly the general classes of "users who leave default passwords" and "users who click through a warning" are going to have a big intersection.

Well done, sir. Even so, I think once a user is shown a cert warning it becomes their problem, not the site owner's(in the sense of who's responsible that is). When it comes to security, everyone has their part to play.