Humans are NOT the weakest link in cybersecurity

What a copout this is! Basically, it sounds like someone throwing up their hands and saying, "people will be people, so we've got to prevent them from making mistakes!" The "solution" in the past has been security awareness and phishing training, which are increasingly proven to be ineffective, or even harmful. Instead, the solution should be accounting for the inevitability of humans making mistakes. It's GOING to happen, so we should be prepared for it. The security awareness/phishing training vendors have started to pivot towards "make your employees your first line of defense, train them to detect attacks".

The reality is that we know how humans fail, and we know how attackers take advantage of them. Since we know how this story plays out, why don't we just put the necessary detection and controls in place to prepare for it?