Training does work to reduce the amount of succesful untargeted attacks. For spear-phishing it's hit and miss on how good the attack is, but a good enough attack will work against almost anyone. As someone that sees really well crafted phish, I can tell you I myself will fall for a good phish. It has to do with eliminating the element of surprise, if I didn't expect the email I will assume it's a phish. But if rapport is built and the subject is something very specific only a few people are privy to then my guard will be lowered. Business email compromise comes to mind, they just reply to an existing thread with a link to a trusted site like onedrive