True, in many cases there is a whole chain of vulnerabilities and misconfigurations, and everything starts with one phishing mail. For example:

• successful phishing
• VPN without 2FA, allowing the attacker access to company services
• internal services with vulnerabilities, allowing the attacker to compromise a server
• permission misconfiguration, allowing lateral movement

That was the point of this meme. It is not phishing alone that gets the company in trouble, its mostly a series of misconfigurations.

I think that in cyber security, we have to assume that phishing will be successful sometimes - and be prepared when it happens.