Yeah but i'm thinking about corporations when i talk about security. For the military, security has a whole different meaning. Lives will always be more important.
The problem when it comes to security is either you restrict everything to deal with the lowest denominator, in which case you create artificial hoops for people to jump through. The smarter worker will actively try and circumvent those barriers because it's interfering with their jobs. That opens up a whole bunch of other problems down the line when they do figure out a way around whatever stupid thing you put in place and share it with everyone.
Or you take the smarter approach and figure that to really be secure is to plan for people to get infected and plan for people to fall for phishing schemes/randsomware eventually (because eventually someone will be dumb enough to get in trouble with this) and put systems in place to mitigate any potential damage. Daily/weekly backups for starters is a good way to get around half the problem. With phishing sites, monitoring internet traffic and blocking known phishing sites is a way to prevent this. Routinely testing people with phishing sites made to test employees and having the ones that fail take a mandatory class is another way to prevent through education. Making sure everyone is using ad/popup blockers in their browsers and limiting access to sensitive information is yet another. Start utilizing 2 factor authentication is yet another one which will eliminate the effectiveness of most phishing sites.
My whole point is disabling html in emails is like the least effective way to prevent phishing.
Agree right down the line until the end ...... disabling html is one more step that can be taken when warranted following a proper risk analysis. In other words, if your use case points to a high risk from html vulnerabilities in email it should be disabled, particularly if it's not needed to support current or planned business practices. But if you use embedded html in email and your organization won't incur serious risk .... it would be worth the risk to keep it.
You can't paint across IT security with a broad brush, you have to go through the moves, examine processes and evaluate risks. You know this or you wouldn't have written what you did above, you are just focused on your own use case and see it from that perspective. Therefore you are right.... from your own company's use case.