I’m going to have to go with the “mass-positive” over the “mass-negative”; successful CSRF attacks are difficult enough to detect program-wise, informing the masses of these possibilities should be our front line of defense.

The way I see it: we’ve stood at this crossroad before.
At a certain point in history the security-scene stood before the same decision regarding things like sql-injections: “should we risk exposing our vulnerable sides to people who could possibly have malicious intentions?”.
While such knowledge is still not as widespread as I had hoped, we are finally bringing the topic of security to the lovable, but ignorant public. We should not stop now.

[optimism]Besides, the more people know about these vectors, the more people will be able to pitch in useful ideas.[/optimism]