What's the metric?
In any effort like this, one of the things a good manager wants to know is how do we measure this so we know if it is effective? What is the method to measure improvement? Number of clicks? Number of repeat clicks? As the article says, someone will always click. In one phishing training I saw, the security team member clicked on the link and was literally typing in their live username and password, "to be helpful".
I argue that the critical missing metric is time based. How long until that first report? How long until that first click? Can we get people trained to report these things quickly, alerting the trained staff fast enough that they could actually respond and block the malicious URL before the first click? It's ambitious, but it gives you a real measure of your window of vulnerability and your ability to contain the damage.