I mostly agree with you, but I think you might have missed my intent...
Why does a random HR employee have the ability to send an export of all employee data to an external address? Why would the CEO legitimately need to ask anyone to send them data (as in, the data itself, not a link to an internal webpage or file)?
Yes, people will always make mistakes, and non-techies will never keep up with the latest social attacks - Thus my point; not saying someone should lose their job for an offense they don't even understand, but rather, that they shouldn't have the physical capability of accidentally causing such a breach.
Though rare, this counts as one area where we could take a tip from high-security government agencies - No removable media, no direct internet access, no email attachments can leave (or enter) the local network without some form of sign-off by InfoSec, etc. And yes, of course people will always find ways around such technical barriers, but at that point it becomes a lot harder to claim ignorance instead of malice.