Until there's a sexy solution, nothing will change
because that's how the money goes.
In the meantime, very small changes - or even a single change - could probably halt 80% of attempts. Just don't allow email clients to invoke web browsers. (Yes, it's that simple).
If you are going to sacrifice security for convenience (because if you don't do the previous, that's what you are admitting is the case) then FFS at least don't render links where the URL is different to the displayed text.
Or, if you have to render them, then at least do it in red, with a confirmation dialog, so the user has a warning.
Alternatively you could spaff me a few hundred thousand, and I'll deliver you a clunky, dodgy "AI" "solution", and see you all here in a years time.