YES people take this seriously

If your workplace regularly sends fake phishing emails to see who clicks:
1. It will have been signed off by somebody senior at some stage that this is appropriate.
2. It will be an authorised exercise.
3. It's probably a condition of employment that, if you're at work/using work systems then you are taken to have consented to terms of appropriate use of the system. You probably have signed up to terms of use at some point/had them pointed out to you.
4. That set of terms will permit login/security monitoring if appropriate.

If 1 and 2 don't apply, then somebody else is in breach of 3 and 4 :) If none of these
apply, you're in a similar position to the kernel devs. here.

The UMN researchers may have been unknowing/careless at best: devious and exploitative at worst. Their IRB may have been on the ball and questioned everything they saw before allowing it or they may have been unsighted/misled/not understood the scope of the work. The combined effect was that their actions impacted a bunch of third party developers, caused work, created a degree of mayhem. That's not OK.

A bunch of far smarter people than I am can argue the exact cost and harm but it's left a sour taste in the mouth for major kernel developers who are the people I rely on to provide me reliability and security every time I start my machine.