Nuclear Regulatory Commission and security training

Nextgov's article "Nuke Regulator Hacked by Suspected Foreign Powers" discusses several attacks on the Nuclear Regulator Commission's computers.

One incident involved emails sent to about 215 NRC employees in "a logon-credential harvesting attempt," according to an inspector general report Nextgov obtained through an open-records request.
The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to "a cloud-based Google spreadsheet."
A dozen NRC personnel took the bait and clicked the link.

So almost 6% of employees clicked on the link bait. That is a pretty significant number, especially considering

Every NRC employee is required to complete annual cyber training that deals with phishing, spearphishing and other attempts to obtain illicit entry into agency networks.

I don't have a thing against employee security awareness programs, but I've heard this promoted (typically by management) for 25 years. I'm just not convinced that it is effective.