"no-one should assume their level of technical expertise exempts them from risk"
I'm not sure I totally agree with that statement.
If your level of expertise is click-on-any-attachment-or-link-regardless-of-if-you-know-the-sender-or-not, then yeah, you're at risk.
But if your level of expertise is I-don't-know-you-and-I-will-not-click-that, then you're pretty much immune to that risk.