I do not want to be controversial. The point might be a bit strong when conveyed and I might be wrong.

- Phishing simulations can make users paranoid. I have seen cases where people started reporting everything. They did not even try to identify if it's a spam of phishing email.

- I am not saying industry standard compliance are useless. They are a great starting point for any security program. The point I wanted to highlight was an organisation's attitude and motivation towards getting such certifications and achieving compliance

I agree I should have paraphrased the sentences for more clarity. .