I agree that a very strict version of this is too draconian for most workplaces, but depending on the person's role and how many times they've failed a phish test I think it's reasonable to have consequences. For positions where getting phished would be disastrous, something along the lines of a warning or training after the first and second strikes then firing after the third doesn't strike me as exceptionally draconian.