@Susan I agree most employees do take security seriously, it is that percentage of careless people that should keep IT awake at night. All it takes is one person to be careless and the network is compromised.
You and I know this but if you are dealing with people who "click the link first" and then wonder why their machine doesn't work like it use to - it is a big problem. Locking down the network does not make people happy nor is it an effective solution due to smart phones and Cloud based access.
Security Firms are reluctant to acknowledge this because of course it directly affects their position.
I like the in-house training, but it will have to be carried out at least bi-annually to keep security in the minds of employees.