True, but it also has to do with the fact that they immediately trust and in some cases execute code or data downloaded from anywhere, without even asking the user.
Wordperfect, Quattro Pro, the Lotus SmartSuite office package, and OpenOffice do not have these vulnerabilities, period. Netscape Mail, Pegasus, the Bat, etc. do not have these vulnerabilities either.
How do you explain that? HINT: it is a question of bad design vs. good design.
Alter the correct settings and this will not happen.