Having retired from a network-security-related job I have to disagree. Ok, stupidity and/or ignorance. Sometimes willful ignorance.
I did a thing unusual in the I.T. field. Something the vast majority of SysAdmins will insist does not work: I relied greatly on end-user education and cooperation for my employer's defense. To a degree such that it took higher precedence than anti-virus and anti-malware. By any measure it was a successful strategy. In the twenty-five years I was on the job, there was only one significant incident, it was due to a new type of zero-day vulnerability, and the primary vector had actually done everything right.
yep. #CanConfirm
User education is incredibly effective.