Only because the protections are there for email viruses. Phishing and spearphishing are still popular attack vectors, so we know people would be susceptible to something like iloveyou if it were to get past other defenses
Those protections are done up-stream at the MTA level and completely passive for the end user.
The "security best practices" are a cargo cult exercise that just lulls organizations into believing they're protected against motivated actors, when instead they're just enforcing a group policy on a good day.
