This article seems to make the mistake of thinking unsophisticated automatically means bad. Sometimes the simplest methods are amongst the most effective - users being a weak link is a constant, whereas vulns are patched all the damn time
https://arstechnica.com/?post_type=post&p=1648279