Yeah, you’re right. Passkeys, sso and password managers make it impossible to get any work done. It’s much better to keep doing the same things that haven’t been working for decades. Don’t forget to make everyone rotate their password every month!

What’s your simple due diligence to prevent phishing? You check the links you click, verify the URL you ended up at is what you expect, validate no unexpected unicode swaps in the domain, pop back to the email and check the sender is known and trusted, look at the headers and validate the routing chain, then double check the sender spf and dkim records are on the up and up? Oh, and make sure the actual content that you landed on is from the website and not a hijacked subdomain.

they have no reason not to trust them as a coworker doing their assigned job

That’s the specific area where they don’t. We’re discussing a specific situation where the security team is taking it upon themselves as their job duty to trick you and get you in trouble. That makes people hesitate to share security concerns because “those guys are pricks and will make this all my fault”.

Losing your job because ransomware

It’s a hospital. They’re already short on nurses and administration staff. Those people directly provide patient care or manage operations. Security does not. Securities job is to maintain security standards compliance and maybe keep patient data safe. It is not to exacerbate a staffing issue or let the network go down because you thought it was too much hassle to do your job and properly secure a fucking managed laptop. Security is, rightly, going to be blamed when a user gets the network infected. Particularly when your idea of training is to offer them PTO and then call them an idiot when they want it.
The person making the decision on who to blame is a lot more like that poor nurse than they are like security.