Sort of like how a lock can be picked in 30 seconds, but still deters 90% of crime - a lot of criminals are just searching around to find out who is vulnerable, and most every company has something that's worth at least a bit (even if it's just stealing $500 laptops instead of breaching the network)
I've been at a company that was well targetted. I forget which group it was, but they were got into a lot of customer service sites that week; not ours, but we had some near misses. Almost got me, sent me an email from the boss with 'The blog is down' and a link ... I was checking my mail on mobile as I was out the door, but of course mobile doesn't show any useful headers like from address.
I mean, a company I worked at had a significant amount of money stolen after the attackers spent 6 months sitting on their access waiting for the right moment to fake an (expected) reply to an email exchange. The original breach (or at least the breach of this executives account) involved a very targeted phish. When the potential payout is millions it justifies a lot of effort.