If it's corporate then the minions don't care.
The minions sitting at their desks & doing the mindless daily drudge to earn their honest dollar aren't PAID to think about security, so they don't think about security, & will blithely click that trojan-laden phishing email that appears to be from some random Nigerian Prince with an invoice attached.
It's not their personal computer, it's not their personal data, & it doesn't come out of their hides if the email hoses the network. Since they're not paid to think then they aren't going to think. You want them to give a fuck about security then you have to PAY them enough to care. But the minions at the bottom that get paid fuck-all to do the stuff from the bottom of the corporate barrel? They don't get paid enough to care so they won't & thus your network ultimately depends on folks you refuse to pay or treat very well. Vicious cycle isn't it?
You can have your NetAdmins lock down the infrastructure to the point where it's totally secure, but that involves turning everything off, encasing each computer in concrete, & sinking it in the Marianas Trench. If the Admins loosen the noose enough so your employees can actually Get Shit Done then that loosened noose is loose enough to hang you with. Trying to find the razor-thin balancing point between enough security so they can function & enough to protect corporate assets is such a daily grind in-&-of-itself that your Admins may throw up their hands & give up in frustration.
So the people at the bottom that open the most email & thus put you at the greatest risk of getting fucked over are the very same people you pay the least, treat the worst, & consider as mere cogs to be outsourced to some Third-World-Hell-hole so you can give yourselves another couple of million boost to your already fat pockets. Yeah, that seems to be doing well doesn't it?