My company puts all employees through regular training to detect these sorts of attacks. They're generally quite easy to spot. But, a perfectly written piece of software can be vulnerable to poor implementation or lax user environment standards.
Think of it this way, your entire enterprise IT environment is set up to a reasonable standard, but VP Snowflake demands admin access on his workstation so he can install whatever he wants whenever he wants. A direct violation of policy, but he's VP Snowflake, so he compels the poor IT guy to make it happen. VP Snowflake then gets a Spearphishing/Whaling email containing a suspicious file. Because he's important and doesn't do his yearly user security training, he opens the email, opens the file that is a poorly disguised attack, and has his system compromised. Because he's a VP, the attackers now have access to all sorts of data, as well as access to other systems. Because the organization hasn't implemented inter-system controls, such as Zero Trust (because it makes it slightly tedious for VP Snowflake to get to a document on a server in another department), the attack starts spreading horizontally throughout the enterprise, infecting other systems. Then there is a weakness in a boundary security system between the IT environment and OT environment because the OT systems weren't designed with security in mind because they were purchased 30 years ago, not intended to be connected to the IT network, and haven't been replaced because "we can't afford the investment or downtime". Now the attacker has access to systems that can actually impact human safety or critical operations...
That's not science fiction, but how it happens day in, day out. An easy mitigation would be to not allow VP Snowflake to have admin rights and to enforce user security training even for the "important" people. Not connecting OT to IT or making sure there are strong controls and monitoring in place would reduce the risk.
Things have changed very significantly in the last decade alone. The stakes have increased and technology is being weaponized like never before. I'm starting to see why there are prohibitions against computers in the Battlestar Galactica and Dune universes. You can't hack what isn't connected.
Chris