Perhaps because email has become so mutilated since when Ray Tomlinson first sent one in 1971 (even to the point where his deserved title of inventor of email has been subject to crackpot legal dispute), it's hard to think of it as own domain. It's really just a vector of attack that you can use to deliver anything you want - from social engineering to malware. The problem isn't the email. It's the range of really bad applications, host security, and consumer exploitation that get used around it.
I suppose you could focus on SPF, DKIM, DMARC, but to me these are more accomplices than solutions. The harder we make it to deliver email, the more we are encouraging individuals and businesses to move toward a handful of email providers whose business model is gathering and marketing customer data. If you strip away the garbage that we have pumped into email (for the love all that is good, please never put an emoji in a subject line), it is actually more secure even if we throw out with that bath water some other "good" things. However, were we to do that, the big providers lose their tracking and so do many other parasite "tech" companies.
And so, not for any educated reason, we use email in an inherently risky way - extremely high risk if you choose to marry certain email applications to an OS prone to execute any sort of code it sees. But I don't see this as an "email" issue as much as a user one.
