Agree right down the line until the end ...... disabling html is one more step that can be taken when warranted following a proper risk analysis. In other words, if your use case points to a high risk from html vulnerabilities in email it should be disabled, particularly if it's not needed to support current or planned business practices. But if you use embedded html in email and your organization won't incur serious risk .... it would be worth the risk to keep it. You can't paint across IT security with a broad brush, you have to go through the moves, examine processes and evaluate risks. You know this or you wouldn't have written what you did above, you are just focused on your own use case and see it from that perspective. Therefore you are right.... from your own company's use case.