The users are not at fault here. Even a SSH or VPN will leave them vulnerable to attacks. Companies (Facebook, Twitter, etc.) have to increase their own security, because they are the only ones that can fix this problem.
Sure, but there are about a million times as many people able and motivated to do the wifi-neighbor attack than the stalker-ISP-gnome attack. And as people with true identities in a stable position of authority at as service provider, the gnomes are easier to find and hold accountable.
This difference -- from random anonymous stranger whose only invested in software, to physical infrastructure with paid staff -- is also one reason bank phishing attacks happen via websites and not actual storefronts made to look like real banks.
If the only threat to Twitter and Facebook users was ISP-gnomes, the websites could put off fixing the issue for another decade.
I absolutely agree on fault. My initial recommendation was for them to refrain from using Facebook at Starbucks until that happens -- regardless of fault, users are the ones that are vulnerable.