"I wonder if the account phished this time was one JISC breached on their test."
Based on what I see in my own $orkplace - I don't.
And these same people get offended/start making grievance cases when you call them out on it.
I'm not kidding about this either - We had two staffers _deliberately_ disable AV software which was preventing them opening malware that had come in via email on the basis that "It might be something important" - and they did it on multiple occasions.
After one's third offence - and giving her a dressing down for causing us over a day's lost work a formal complaint was filed on the basis of "Speaking to her as if she was a spoiled naughty child and making her cry" - her excuse at the time was "I knew it might be infected but it's my duty to open everything to see if it's important, no matter what and the Antivirus software was stopping me doing that"
These are the users who give you 65 million reasons to ensure that they CAN'T mess with the systems - although personally I'd prefer to detect them attempting it, give one warning and make the second one security appearing at their desk to escort them off the premises.