All of these features are basically raising the security bar on security. With each thing, the amount of skill and effort it takes to get a working exploit rises. That's the basic point of all the security stuff we throw out there. Whether it's firewalls or service hardening or whatever, if there is a person motivated enough and skilled enough with a lot of free time on his/her hands, eventually they will either figure out how to get in or give up to find something more fun.
There was discussion at DEFCON of how to defeat some of these things. If you read this article http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html
there is the discussion that talks what tntcoda said. The things that I read that seemed most important is that a portion of all of this depends on software developers doing the right thing. This is also implied with the grsecurity software here: http://www.grsecurity.net/confighelp.php
In my opinion, we as security people can keep putting up barriers, but when we look at software development, even the folks that the developers frequently look up to such as Microsoft, are opting out of their own security measures (see the first article referenced). If we are running OS's with only the base services enabled and fully patched, I think that the bar is pretty high up there, but as soon as you start installing software on there, the attack vector just gets bigger. With Vista as an example, I am pretty confident that many people that got bothered by UAC just turned that puppy off and there goes another layer of protection. Knowing that IE has opted out of additional security features along with this, and your attack space has gotten larger.
In my opinion, if we want to make sure that the systems are security, it needs to be a multi-pronged approach. 1) it needs to be convenient for the user, 2) it needs to be built into the OS, 3) it needs to be enforced by the applications. Developers are going to need to start writing code that doesn't opt out of DEP (Data Execution Protection) and ASLR(Address Space Layout Randomization), but sometimes that's hard, and we're willing to compromise. We all compromise some, I am sure that I'm not the only one that's hit the "remind me later" button on Acrobat when I'm trying to read a PDF off of a site that I trust. The compromise is what really gets us in trouble i think.