Re: "I do not blame the person who clicks in an email"
Real email from our corporate security group looks exactly like a phishing mail, including the link to a site not in our domain and instructions to enter corporate credentials.
And that's for our anti-phishing training.
Blaming users is stupid and pointless. It's stupid because human beings cannot be constantly vigilant, and organizations continue to use email with embedded URLs for legitimate purposes. It's pointless because decades of IT security experience, and millennia of security experience in general, universally tell us that blaming the users does not help. It does nothing to improve the situation. It's merely an occasion to make yourself look smug, and it's not even very good for that.