If a hacker hacked the CEO's email address, and then used that address to email their secretary asking for information, and the secretary responded.... that is not a security failure on the secretary's part. That's the CEO's security issue, and the company's security issue. Therefore, it's a useless pen test, unless the purpose is to tell employees no emails from anyone can be trusted.
A phishing email can come from the inside. But seeing whether employees will respond to a valid internal email is not a test of employee security. And in this case, it was as heartless as it was useless.