If instead of christmas bonus, it was death of a loved one, would you still consider it acceptable (both meet your criteria)? Would it be acceptable to test employee susceptibility to extortion by taking compromising photos and then threatening them with it?
In my opinion no. Any sort of experimentation on employees needs to be ethical. If you screw people over in the name of security, you have now become the security risk. Making the security team be the enemy that the employees hate because they have been hurt by them, will lead to very poor outcomes.
It's ok for companies to prepare their employees for phishing, except that (a) they are not allowed to inflict emotional harm on their employees, and (b) the email should include the correct examples of phishing markers.
A good example would be an email coming from a realistic-looking but fake external email; or an email with faked internal-looking headers that are highlighted by the company's email system.
A bad example would be an email coming from the company CEO's real email address, claiming that the employee was promoted, with no warnings from the email system that the headers are faked. That would not teach a useful lesson, and it would inflict some emotional damage on your employees.
Note: the lesson is not useful since, if the attackers have managed to corrupt the email system well enough to send emails from internal addresses without getting flagged, they will most likely have no need to phish for further access.
It's ok for company to prepare its users for phishing, except for the kind of phishing where the attackers:
(a) devised an emotional hook (b) put in effort to make it look legit.
You can see how that creates a vulnerability, right, because a moderately sophisticated phisher would aim to do (a) and (b) every time.