Training is not the answer to security problems, as empirically it has no effect. The only measures that work are technological, like U2F keys.

Technical solutions can always be defeated by social engineering. Training is supposed to prevent that.

How do you socially engineer someone to compromise their U2F-based dongle?

When U2F is widely used, there will be more social engineering tricks - like, visit this attacker website or download this tool/browser extension, put cursor in box, now please touch your key to verify your identity.

Countless creative ways will be tried and discovered.

"Hi I'm from tech support, I need you to go and generate some new backup codes. Now read them to me. Thanks!"

Do you have a source on that? Anecdotally, I'm better at recognizing threats after my company instituted annual training as well as simulated attacks.

I dunno, this sounds like "you don't need vitamin D if you have enough vitamin C".