I dunno my last two companies had some pretty difficult fake phishing emails and at least quarterly trainings. But they were a utility and a company that was being acquired by a foreign company (subject to cfius regulation and approval) and took security extremely seriously. I’d imagine most non critical to national security companies just buy some package from a vendor and call it a day though (based on my current company) and that’s why they suck