Its odd that nobody addresses the elephant in the room (kitchen?) -- even though we know better we allow active content to be introduced from outside onto corporate networks. There should be absolutely no way that clicking on a link or opening a document should provide a pathway for malware to infect a system and the fact that it does speaks volumes about our business software and how we use it. Dumping on the person who got it wrong this time isn't going to fix the problem. Its a bit like allowing smoking in a fireworks factory and then firing what's left of the person who's deemed responsible for blowing the place up.
Most email traffic should be in plain text -- if there's a link in the text then it can be opened separately once its been checked to see if its safe and if its relevant to the content of the message. Documents need to be exchanged in a form that precludes active content, especially remote downloadable content. I know this goes against the entire Microsoft philosophy of doing stuff but until their code is guaranteed bulletproof then it has to be treated as untrustworthy.