The reason security approaches keep doing this is because, time and again, security teams have been finding that not educating the user simply makes for worse security. It might not be great user-friendliness, but the average company needs a fair bit of user-friendliness to compensate for poor security actions. As for why they don’t, for example, block pages instead of merely warning people… …the companies I’ve seen do block entire categories of site that is clearly egregious to expected corporate use, but have to permit a considerably larger number of edge cases to avoid being inundated by requests to unblock the wide number of sites that people in working environments typically use these days. That’s before considering consumer use, where any sort of blocking is taken with resentment at best.