Everyone parrots that social engineering is the most effective breach approach, but there is absolutely no evidence backing it up. It's likely that most people have learned what a phishing email and sms is, and won't fall for it. Modern filter systems also make it very difficult to deliver in bulk. Of course, everyone will accept it as true because they can imagine crafting a simple email, but exploit development is far outside the capabilities of their puny minds.