I agree you can't expect people to provide full defense, and it doesn't sound like you disagree that helping people act more securely is important.
In my example, there's a difference between whether one sales person leaked their business numbers, or the entire 100 person department did. You train users to minimize the vulnerability even if you can't fully solve it.
If you agree that far - then I am not sure where we're disconnecting on this question.
I would imagine we're disagreeing with the "at what cost"?
As in, is the cost of:
1. Losing the trust of your coworkers
2. Causing public reputation damage
3. Potentially harming coworkers emotionally
worth the gain of having a slightly more effective phishing training? I would argue no.
I would also say that it isn't nearly as important as implementing other measures - U2F being a big one that I'd mentioned, but there are plenty of others. It's certainly not where I'd recommend anyone start.
I agree you can't expect people to provide full defense, and it doesn't sound like you disagree that helping people act more securely is important.
In my example, there's a difference between whether one sales person leaked their business numbers, or the entire 100 person department did. You train users to minimize the vulnerability even if you can't fully solve it.
If you agree that far - then I am not sure where we're disconnecting on this question.