You're missing the point: he did not send an email with a link, he sent an email in plain text, no hyperlink, containing the ASCII characters "example.com", and the recipient's email client silently changed it into a hyperlink. And of course that doesn't just happen with "example.com"; it happens with any piece of plain text that the email client decides might be a URL, which includes many file names since many common file extensions are also TLDs. That is the security issue.
