AutoRun functionality has been abused in the past, which has led to Microsoft's decision to disable it. The most notorious example was the Sony Rootkit of 2005. In an attempt to keep the music-copying genie in the bottle, Sony issued audio CDs that included a small data partition with an AutoPlay file.
When users put the CD into their computer to play music, it installed a very invasive piece of software that disabled copying of audio CDs. Beyond that, however, bugs in the software caused system instability and left an opening for other malicious software to take advantage of the rootkit's ability to hide files. Sony misusing AutoRun this way set a pretty horrific standard, a behavioral bar so low that nearly anything goes.
The rise of removable media that is writable, such as USB flash drives and portable hard drives, makes AutoPlay even more dangerous. For example, an attacker who wants to break into a specific company could sprinkle a handful of AutoPlay-infected inexpensive USB drives in the company's parking lot.
Odds are good that at least one of them will find its way into an employee's computer at work or at home, and from there the attacker can find his way into the company's secrets. These kind of attacks can be very effective because they are often able to circumvent even tight network controls intended to prevent infiltration.
In the continuing battle between convenience and security, the convenience of AutoPlay has been beaten back to square one by the security issues it raises. We're all used to the additional security problems caused by ubiquitous Internet access, but this one is different. It's a feature that hearkens back to the old floppy boot sector viruses, resurrected for abuse in an era of cheap USB drives. If Microsoft was designing AutoPlay today ... well, I doubt a feature like that would make it at all. The Age of Auto Everything has ended.