Security is a trade off between usefulness and protection. To maximize security you could not use email. In today’s world that’s not practical for most businesses, but they would be protected from direct email attack. I could allow only text based emails, which allows email usageabd prevents a lot of attacks.

As it pertains to phishing, it’s mostly a non-technical attack. The goal is simply to gain information from a target through trickery. Ever fill out a card to win a free “insert thing”? Just have to give all your contact info. Phishing is more targeted at credentials, but it’s the same idea. Why hack my way through a next-gen firewall and ips when I can just send an email to to a secretary in HR saying there password is about to expire? This is why human training, imo, is more important than technological solutions.