There's a difference between claiming others are poor at spotting scams and the claiming that they are infallible.
For reference - I've never had a credit card skimmed, a single unauthorised charge, an online scam or compromise, etc.
In fact, step 1 of the plan for verifying scams in very organisation I have ever worked for is "Run it past IT if in doubt".
We are then the arbiters of whether it's a scam or not. We haven't got it wrong yet, and that's several different workplaces over decades.
Doesn't mean that we COULDN'T EVER get it wrong, it just means that we're much harder to fool.
And I've had things where I literally spoke to the scammers on the phone because the phone was handed over suspecting a scam, and as soon as they realise they're talking to the IT department, suddenly their enthusiasm evaporates. Whether that's trying to authorise a transaction, install some "remote support" software, or merely click a link.
Because we've been trained rigorously by cyber-security specialists, MI5 have shown us how to detect lies, or that we spent our lifetimes handling nothing by front-end, high-risk financial interfaces? No. Because we have a modicum of common sense and can spot a scam a mile away, and have the authority to say "Nope. That will not happen on my system." I've said that to the top level of the organisation, against their wishes. I have literally overruled "the big boss" that nobody says no to. By saying no. In some of those cases, it was "genuine", just extremely poorly handled by the other end, and in some cases it was an outright fraud trying to extricate £100,000's from our coffers. Still, I overruled until we were cast-iron certain things were legitimate. I never received any flak for doing so.
Spotting scams doesn't make you infallible, but it's not difficult to spot the vast, vast, vast majority of them.
And it's not wrong to call people stupid if they fall for obvious scams, and do so repeatedly.
(P.S. We run simulated phishing attempts in my organisation, from a sophisticated paid-for service... it literally reads your inbox, tries to make a "genuine" email from your contacts, and hides lots of the origin information to make it more viable. They are easily spotted for the most part, but you can tweak the levels, e.g. for the IT department. I will tell you now that the people with some of the most serious responsibility and power on the system are some of the easiest prey and users fall for some ridiculously obvious things - especially the newbies who aren't accustomed to their employer running phishing tests on them).
You don't need to be infallible to be not-stupid.