I always suspected technical tools were more effective (time, effort, money) than the training programs. However, only company-wide training programs provide visibility to the CISO, so they tend to be popular even if ineffective.

Because you cannot fix humans, technology is the most effective approach.