Because the aforementioned built-in link obfuscation makes it hard to even tell if the link goes to one of our work domains. And pretty much all our stuff is behind SSO, so if something asks for creds that's an easier tell than hovering over the link and trying to figure out where it goes. And sometimes they introduce new tools on new domains that may be legit.
Generally clicking on the link is not what gets you compromised (except for some spearphishing involving zero-days...). It's actions following that which might. So they're barking up the wrong tree and penalize people for that. That's just chicanery.
Then why even click on it in the first place (and risk your email address getting flagged as active in some illicit database?)