McAfee opens mouth, inserts foot. Again. So does anarchic-teapot.
"Despite the proliferation of XSS attacks, McAfee's ScanAlert, which provides daily audits of ecommerce websites to certify them "Hacker Safe" gives clients the thumbs up even when XSS vulnerabilities are discovered on their pages."
John McAfee continues his tradition of after-the-fact security for at least twelve years. You have him to thank for convincing the media, and therefore the public, to use reactive anti-virus technology.
"Many thanks to Microsoft, who started the whole HTML-email crap, and persisted despite numerous warnings of security risks."
Mister Teapot, in the process of calling the kettle black, you forgot that you have Netscape Communications to blame for this one.
http://en.wikipedia.org/wiki/Browser_timeline
Netscape 3, complete with "Rich Text" e-mail as they called it, came out in 1996. Compare with IE3's release in January 2007. Further, Outlook didn't support HTML e-mail until Outlook 98, and Outlook Express / Internet Mail and News didn't support it until IE4 came out. You have Netscape Communications to blame for HTML e-mail, not Microsoft. You also have Netscape to blame for (shudder) Javascript.
I'd have taken the older scourge of winmail.dat attachments over HTML e-mail, brought to you by Netscape.