I think the biggest problem is user acceptance.

You and I may understand the need for two-factor authentication, but Joe Bloggs just wants to access his free email account to share pictures of cute cats. And whilst the cost of 2FA may be relatively cheap (and getting cheaper), if it's still an additional cost to access a 'free' service, most users will complain and look for alternatives.

In the UK, most banks now utilise personal chip and pin readers to provide access based on account cards. But despite banks providing these free to account holders I still know people that complain about the extra 'inconvenience', unable to understand why a simple user/password isn't enough.

Thankfully things may be changing, and I think as more services move to a system where users can choose to implement improved security to access their accounts (whilst I've not used it, Google's mobile phone authentication is a good example) acceptance of more stringent authentication requirements should improve in general users over time; whilst allowing the truly (and rightfully?) paranoid increased security precautions sooner.

Yah some good points made but the problem is always going to be the end user and I think its our jobs as security people and websites to educate their user by explaing why they need to do somthing rather than forcing them or telling them.

Big companies have the money to educated their user but who is training home user  and until we break this where home user are gettign educated security is alway going to be a hugh issue. As home user are taking their bad habbits to work with them and its just a circle.

Many of the banks in the Uk do use devices for authentication but how of the banks really explained why they are using them. I think if you said to anyone this device will help reduce the change people can get access to your money most people would want the device. Instead banks just send the device and say you must use this so people see it as a pain and dont really understand why.

Some good points but on the other what price do they put on their reputation. Being hacked and having all your customer passwords leacked i think would cost more in the long run.

That is shocking just goes show how many people dont have a clue about things