My entire point is that none of that is actually new information. Every piece of research by anyone has always indicated that the human element is the weakest part of the security system. If you’re asking if you can trust a user to reliably do something, you can safely say “no” and make contingencies for when they don’t.
If they have technical solutions available, they didn’t need to run a drill to know that they should use them.

It’s not about being “liked”. It’s about effectively enforcing a security posture. An adversarial relationship does more to undermine that then providing guidance on how to do it better.
They have no obligation at all to “run scenarios” where they could just implement the fix to the problem.

They exposed a fatal vulnerability in the same way stabbing someone exposed a problem: it’s been demonstrated, but it’s not new information.
This type of excercise is about producing numbers that look good on a spreadsheet. You do a phishing drill, people fail and then you run a training. A few weeks later you do it again and since people still have the previous drill lingering they remember, and you send a softball phish. Line go up and to the right. Looks good in report.