In my opinion they are.
If staff are not trained to follow a process when dealing with any facet of security including undertaking tasks such as updating computers then no amount of firewall rules, application security or padlocks is going to save your business.
However in order to train staff you must have a security policy in place for your business.
This does not have to be an epic undertaking worthy of security consultants and NSA but for most small to medium businesses it can be as simple as telling staff never to follow any instruction unless it comes in written form by the head of IT or security. The staff member must also be aware that any deviation from the process is bad even when the CEO tries to make a request not via correct channels.
This article => Major NZ retail chain hit by phishing attack shows how easy it is to con most staff into performing actions that can harm the brand and business assets if they do not have a clear – well documented policy to follow.
Don’t forget your staff a very much a part of your business security.