I think the problem is, no matter how easy you make it, it is a fire and forget thing. We have one client that continues to install 3.2.x because that is the 'package' they zipped up with their templates, plugins, etc. and they install 4-5 WordPress sites for their clients each week.
One client we upgraded, his FTP client noticed something was different, and remirrored the older files over top. He has since changed his FTP to not overwrite newer.
Our monthly scan looks for WordPress versions on a number of machines and lets us know who's running older versions. After getting most of the machines up to 3.3.1, the number of exploits and spam emails we've seen has dropped tremendously.