The most frequent comment I see on stories reporting some new dramatically successful phishing attack is from an overly nearly well-informed technophile who thinks people who fall for phishing schemes are just stupid.
Despite a success rate so high it's become standard operating procedure for Chinese military and government cyber-espionage groups, people who respond to phishing e-mails are treated like they're one walker-assisted step above the elderly shut-ins who send money to help Nigerian princes and ministers of finance mysteriously down on their luck.
If only the stupid fell for phishing scams the successful attacks against companies with sophisticated security -- Google, Lockheed Martin, HB Gary, PayPal, various other U.S. military and intelligence agencies -- would have been able to shut down the breaches quickly. Others with security at least as good -- CitiBank, Bank of America, AOL, Western Union -- wouldn't have to send out alerts every 10 minutes warning people that they weren't sending out alerts, so don't mail in your usernames and passwords.
Phishing works, for the same reason grifting works -- given a set of facts that seem to fit all their expectations and experience, and the opportunity to either help out a co-worker or profit from something that's very little trouble for them, most people will take the risk. (See also "4 Security Tips Spurred by Recent Phishing Attacks on Gmail, Hotmail, and Yahoo").