"your browser that is under constant attack from craply-written ad scripts"
This is true, but remember the reason Firefox and Thunderbird shared code in the first place: HTML mail. You need a full rendering engine to show HTML mail, basically, and Thunderbird is using the Firefox one.
It follows that mail clients are usually vulnerable to nearly as many potential exploits as web browsers, only they often don't update their rendering engines as aggressively. Evolution, for instance, was stuck on an ancient Webkit version that was vulnerable to all sorts of stuff for years.
So your email client is subject to similar attacks. Yes, you can just turn HTML mail off, but you need to be really sure it *is* completely turned off (i.e. your client isn't making any attempt to interpret it, rather than just not displaying the HTML version by default).