I feel like attacks like this would be much harder if we had never adopted HTML emails. Then it would make more intuitive sense (for the user) for an institution to write:

(1) Go to our website

(2) Login and check your account

Of course, leigitimate emails do that now, but because of the way we've been trained to "click" (such as "click to verify your email"), this conditioning carries over to phishing and other attacks, whereas that would be impossible with plain text. With plain text, the email verification would have to be "paste this code into a box".