Large tech companies routinely run pentest exercises against themselves that involve phishing their own employees. Good security has to include educating the human element as well: if you have great technical security but all you have to do to get in is ask an employee their password, you've lost.
Large companies also invest significantly in protection against massive DDoS and power cuts to the building, along with drills for earthquakes and zombie apocalypses.
I wasn't trying to say those things aren't really security problems... just that they perhaps aren't things you'd want random people on the internet attempting to exploit.
They also control the rate at how their own employees get phished, especially if they want the employees to report any suspicious attempts. Constant barrages from outsiders will make the employees stop reporting.
Large companies also invest significantly in protection against massive DDoS and power cuts to the building, along with drills for earthquakes and zombie apocalypses.