As one who has thousands of people working in companies that I either own, co-own, or have invested in, I can tell you that not everyone is trainable
I agree, but those are not people you want working for you if you are concerned about security.
Not that people are stupid - no, as far as I am concern, almost all who are working in the companies I mentioned above are above average in intelligence - but the one thing that is needed the most is not information, rather, it's intuition with a large bit of paranoia mixed in
I think that you and I have different definitions of intelligence (mine matches the dictionary). If a person does not care, or is lazy in terms of security, that has nothing to do with intelligence. An intelligent person that cares can easily learn. An intelligent person that does not care will perform questionable acts, and not just in terms of phishing campaigns. A lazy person will filter security messages to junk and never read them.
Making people care about security takes work, and making sure they review security bulletins takes work. Reward vs. punishment systems are a juggling act, but this is true in any behavioral science.
It takes a paranoid to be suspicious of everything - and in this social-media world that we have today, where everybody shares every bit of their own info to the world - paranoia is becoming a scarce resource
If the dangers of social media are not part of your security awareness campaigns in the office, you need to have your security team add this to their normal message campaigns. It does not take paranoia by end users to catch phishing attacks, it takes awareness. I.E. "Our company will never ask you for personal information on a social media site. We will never ask for your login name or password on the phone. If you receive such a request contact security at [some extension] immediately, preferably while the person making this request is on the phone." or how about "Want a free lunch? Report questionable content to security and if it's a campaign to cause damage we'll buy you lunch." and finally "Send suspect phishing emails to security, be entered for a raffle to win dinner with the CEO/attend a game in our suite at the Shark Tank, etc...." There are many ways to mold behavior.
Further if you are are a company that does take login names and passwords over the phone or asks for people's personal social media information, change your friggin policies immediately! That is not a problem with uneducated users, that is a problem with horrible company policies and practices.
No matter how much info we have shared with our colleagues, no matter how many times we have told them to be ultra careful, you bet someone will get phished, almost in a daily basis, and the local level network will get breached
I have seen too many examples where this is simply not true. Companies that skimp on acquiring and maintaining a good security team and enforcing internal training are the biggest victims. Where I work currently we have regular training, and even though we experience regular phishing attacks people are not giving out data. It's only 600 employees, but we still see 0 successful phishing attacks.
I'd be willing to bet that any company you claim is "good" yet gets regularly victimized by phishing attacks receives little to no regular security training. And "NO", an email from security that requires no follow up is not "training". Annual face to face meetings with security are similarly not training. Even in a place where users have been well trained quarterly is a minimum, and while working to train users this should be monthly at a minimum. Make the training mandatory, but buy your people lunch for attending. If you let people skip training you are teaching them that it does not matter, so your company needs to ensure a zero tolerance policy for this training. This is all pretty basic psychology for behavior training.