I guess the point is that users who are taking training are not more likely to pass the phishing simulations but I think that’s missing point. In competently ran organizations the point of these trainings aren’t explicitly to teach people to not fall for tests but to be able to identify which users are your greatest risks and either give them more support or can them if they are to high of a risk that it outweighs their productivity.

Of course the people who are taking more training are failing tests. It’s because they lack the computer skills or cognitive ability to understand what they doing. But taking a five minute training that says “don’t click the link” isn’t going to magically make people not get phished, but it has usefulness in basic awareness (which is why we have the super basic cyber security awareness training as well)

The reality is that all human beings can be socially engineered if the attacker is motivated enough. You can’t stop it by training only by planning and being proactively prepared