I would say the users, but the fact is you can still get viruses through drive-by infecters as seen in the recent ASProx, where many millions of webpages of have been "injected" to include javascript tags in their bodies and titles.

I would say security companies, but I am doing a good bit research in the area and it is very difficult to identify hackers or anomalous behavior unless you have a large knowledgable IT staff. Creating security products are still in infancy stages.

The criminals, definitely, but the ultimate problem is the lack of law enforcement in cyberspace. There is a major lack of knowledge in law enforcement: a lack of support, lack of staff, and an really sad set of laws. I think if we had better law enforcement, than we would see a lot less crime. Supposedly only 10% of cybercrime is reported.