I agree that it seems like there are an awful lot of vendors who either don't use PGP at all, or use it but don't know how to verify signatures. It all sounds more complicated than it actually is, and I think that intimidates people into complacency.