Context missing
So, if the email and/or the link was obviously external I have less sympathy for the recipients. Well, I have sympathy on a personal level, obviously, but I don't think they have been treated unfairly. That is even more the case if the email was flagged by the mail system as a possible phish and they still persisted ... then even my personal sympathy starts to wane.
However, if the link is on the intranet that is, IMHO, a completely different story. You don't know the thought process the user goes through. "Hah, hah, this can't be true! *hovers link* Wow, what do you know? Maybe my company is following the example of Aldi, etc! *clicks*"
In the latter case, I think the recipient is completely justified in considering themself to have been mistreated by management. I think management would have to prove they had never, ever sent an email with a link to even have a chance of getting away with this, and I'll eat my riding hat if they can do that.
Also, any sensible management would have paid a small bonus anyway. "You're all getting an extra 20 quid, but you should have realised you wouldn't have to register for it - we know who's on the payroll ;-) Be careful not to click links! Love, management xx" - PR success instead of disaster and a phishing test that might actually get remembered.