Blaming the victim for malware is an out dated concept. These days you do not have to open a link to get malware. Legitimate sites become corrupted every day. There could easily be no malfeasance or carelessness at all by an employee or contractor for the city that contributed to this issue.
Sorry, but I'll hold to this because this is still the predominant point of access in these cases. Yes training has reduced the incidence but scammers can be very convincing, that is their profession after all. The one that is most insidious is when the message appears from an identified superior, that is not carelessness nor malfeasance and that is where I agree with you.
My desire is still for segregation (sandbox) of the local nodes. Very complex task to work it out for both safety and efficiency. A worthy job for the Federal Government to do the heavy lifting.