best answer, and perhaps the most relevant for most companies: "Companies are too busy investing in technology instead of investing in their employees. If they educated their employees on what kind of attacks re going on and that they are part of the security team, you would have a lot less successful phishing attacks."