Now... is it really necessary, for those whose job doesn't include using a PC and only have basic e-mail address on their own phone used for non-important things, to have the same strong and complex security requirements as me? I really don't think so.
Studies have proven that security only works when everyone at a company is compelled to adhere to the same rules, regardless of job role, function, or whether they are members of management or non-management.
The number 1 requests for "Security Exceptions" (= not follow the rules) are made by executives, particularly CEOs and business owners. Why? Because they think they are so important that they should not have to follow the security rules.
Exceptions can work, as long as there is very active monitoring and governance. That, I know, is not done in 99% of businesses in existence - even in first world nations. It is absolute security chaos in nations where computer illiterate and even (reading) illiterate individuals are hired.
I would say in your employer's case, at the very least it can publish easily understood (written and printed for those who do not use a PC and online for those that do use a PC). Then however they decide to educate the non-PC users, it should be done on company time. The employee should be paid while receiving the training. They should also be given online videos for reference and be permitted to access them while on or off company premises.
A typical smartphone with only a company email feed can be secured by various methods - from simple to full hardening. However, I don't know enough about what is being used and configured to hazard a guess.
The whole "They wrote their password down and put it into their wallet!" just means they turned their physical wallet into a password wallet. If a user understands and creates a complex password (&8Ct%M00vQ), then writes it down, and puts it into their wallet, then that is more secure than "123MyName!".
The threat to email accounts is if they get breached, the attacker can take a look inside using various methods and can potentially figure out a way to get into the mail server, and from there explore lateral and vertical network\resource pivots. Or the attacker can use the compromised email account for all kinds of email-based attacks.
"We can't do this..." or "We can do this but it is very difficult..." or "We can do this but it will be costly out of proportion to the potential threat..." are all valid. That is what companies are supposed to do every quarter (every 3 months) - among a whole bunch of other GRC reviews.
I know one company that simply handles this kind of situation this way:
1. They use a random dice generator to generate a six word passphrases with a minimum of 6 letters per word.
2. They add non-alphabetic single characters to the beginning and end, plus use spaces (e.g. "7 Kantos Pilgrimage Diving Marooned Sapiens Vendetta @"
3. They call the employee and provide the passphrase via voice.
4. They instruct the employee to write it down and then place that in a secure location; they request (do not demand) that the employee not keep it at their desk, locker, carry it with them always, etc).
5. They request (do not demand) that the employee memorize the passphrase.6. Every year they have a random password verification test where the employee must input their password under observation at the company facility during regular work hours without a cheat sheet. If they do that, then they get 10 Euros added to their paycheck. This is done twice per year.
6. They reset the password every two years and follow this same procedure.
The employees want that extra 20 Euros because greater than 90% pass the password verification tests.
I know this because they asked me to solve their problem and this is what I came up with.
More importantly they use Microsoft Defender for Office 365 portal and other methods to probe and test the employees with potentially malicious emails. If the employee pool as a group scores better than 90% identification of potentially malicious emails, then they all get a 25 Euro bonus.
Mind you, this costs the company over 20,000 Euros per year just for the "bonus" payouts (does not include the costs of additional IT or support labor for the initiatives), but it reduces their security events, meets what is required by their cybersecurity insurance underwriter, keeps the insurance premium from being raised significantly, and meets various applicable regulations.
For first world companies, there are no excuses. The problem is a lack of willingness and an almost incomplete lack of security prioritization. Virtually all of them can afford to purchase and implement decent, if not moderate to highly robust security. The lack of willingness and prioritization of security is almost universally true of small businesses.
You know a 2 person biz a different beast than a 20 person operation. And a 20 person operation is a different beast than a 200 person small business. And a 200 person small business is a different beast than a 2000 person medium business. And so on.