Quoting from Schneier here:
Security warnings are often a way for the developer to avoid making a decision. “We don’t know what to do here, so we’ll put up a warning and ask the user.” But unless the users have the information and the expertise to make the decision, they’re not going to be able to. We need user interfaces that only put up warnings when it matters.
Pretty true. People only get irritated and pay less/no attention to incessant warnings that prove not to be warnings at the end of the day, and when the real warnings come, the user glosses over them and clicks “Allow”.
A couple of classic examples would include “The Boy Who Cried Wolf”, and using self-signed/invalid/expired/revoked SSL certificates in a production site. I’ve seen the SSL certificate one occurring in a site belonging to a MNC, heh 😉