The thing is, it isn't always common sense. I've seen some phishing emails that really do look legit. Gone are the days when scammers would send out emails (with bad spelling and grammar) that just bluntly asked you to enter your login details into some website the URL of which bore no resemblance to their actual company website URL, to sort out some invented problem on your account.
Some scammers do send out emails that look a lot like they come from Amazon, or Paypal, with URLS that are just a slight misspelling of the original. Even those that come from a scammer pretending to be an educational institution can look very convincing, Admittedly it *is* difficult for a scammer to get hold of an ".ac.uk" domain, but how many people would notice if the URL shown was <institution>.co.uk instead of <institution>.ac.uk (with <instituion> being any educational institution.
Also, when determining the value of doing courses like this, you need to factor in the costs of a breach. Not only with the costs of the breach include the cost of any damage done to the institution and it's systems, but there will be a loss of reputation (hard to actually put a value on this), and there may be a legal cost, whether from legal action (users suing etc) or even fines from the ICO. Bear in mind that the ICO's maximum fines are calculated as a percentage of the institutions gross turnover, so can be many millions of pounds.
Training isn't perfect, and no automated system will prevent 100% of scam emails organisation wide, but I would argue that both help reduce the chances of users getting and acting on scam emails, and a course costing a few thousand pounds is a lot better for the balance sheet than legal action that can run into the hundreds of thousands, or even millions of pounds.