The problem is that Joe User (or his kid) wants to run some random P2P program without having to reconfigure NAT port mappings, so they have all inbound connections mapped to a static internal IP.
If Joe (L)User or his kid sets up his NAT that way... well, quite honestly he gets what he deserves. Protecting against active, deliberate stupidty is probably more than my job description coveres.
I would be a little more tolerant, as they don't even know they're being stupid. That being said, the only thing that will teach them is to get nailed. It's like backups: only after one has lost a bunch of data and spent long nights rebuilding it does one pay religious attention to make sure that the backup is running every night. No matter what we say about it before they actually lose the data and are unable to restore because the last time someone put a tape in the drive was a month ago. So, Joe (l)user or his kid will continue to configure DMZ hosts in their Linksys, they will get hit and pay $500 to have their PC reloaded or buy a new one, and they won't do it again. I'm not saying I like it, but it's just the way it is. Michel.