There's a good case for expanding slightly on plaintext. It's not just decorative - some usecases like Right-to-Left or lists or linked are helped by a little markup, and HTML is good enough.
The problem is going overboard on CSS (maybe none should be allowed) or allowing any javascript at all. I can't recall any email security issue ever which is HTML only without any CSS or javascript.
The problem is going overboard on CSS (maybe none should be allowed) or allowing any javascript at all. I can't recall any email security issue ever which is HTML only without any CSS or javascript.