Microsoft Security Recommendation issues and Impersonation

Within the numerous dashboards for Microsoft, we see impersonation protection as failed/not compliant, or not enabled in our environment.  This is a 2-part question:

1.  Does it work well?  Why do we see impersonated emails in our environment despite having the users set up for it?  We have seen 3 in the last week for our CEO even though he is on the list.  

2.  Despite having it on and our owned domains added, the environment still shows we don't have it setup.  Also, it gives us a limit of 350 users, are we supposed to check each person one by one? Why negatively impact security scores when you are only supposed to set this up for VIPs?  Why not allow it to be on for all users?

EDIT:  This is what it advises even though you are limited to 350 users.  Ensure that all users have an assigned anti-phishing policy with ‘Enable domains to protect’, ‘Include domains I own’ and ‘Include custom domains’ options enabled, by either updating your existing policies or creating new ones.