Actually, my business is *advising those* who perform risk management around information security. We actually typically take the position that our clients are *too concerned* about information risks, as you are doing here. See for example this recent post in our blog:
http://irec.wordpress.com/2009/06/10/do-we-spend-too-much-to-protect-information/

I also argue in favor of password usability in the blog:
http://irec.wordpress.com/2009/07/08/5-properties-of-passwords-that-must-be-managed-to-reduce-risk/

Anyway, putting my personal psychology and biases aside, I think I failed to make my point clear.

As far as you’re concerned I don’t care how you make your personal risk management decisions. What I meant was: *from the POV of the companies,* phishing is a well-founded problem that they bear real costs of every day. Reminders to them about usability such as your original post are probably needed, but they are probably not keeping links out of their email because they are “big and lazy” or failing to “think 2.0″, but because they are trying to train their customers that real emails from them will not contain links in order to help their customers spot phishing emails, which in turn lowers the companies’ risks. Whether the negative impact to the customer is less or more than the positive impact from reduced phishing is a legitimate question, but it is not helpful to reduce the decision to laziness.

If we stifle ourselves over unfounded fears (and a failure to step forward intelligently) we will fail to move forward at all.

Ah, but I see that your profession is risk management. The more analytical side of me would suggest that you are in the business of ‘fear mongering’ (or gravitated there to alleviate your own personal fears, thinking that there’s such a thing as ‘control’ — which there is not).