It's more than just cookies that's the issue. If you click on a link and open a page in a web browser, unless it's a very basic text only site, you're going to be executing html code on your computer. Html code, just like any other, can load a virus. Some browsers block sites known to be infected; some "big names" have been hacked and infected in the past. I never click on a link in an email unless I'm certain that I not only know the person it purports to come from, but am sure that they would send such an email as well. I often get emails supposedly from people I know which consist of a simple message like "Hi Stephen, you might be interested in this link". I know the people well enough to know that they would never send such an email, and it gets deleted.
I've used a basic Windows 3.1 email program for years (since I had to switch from a better OS/2 one when OS/2 was discontinued). It fails to respond to html code and shows everything text only, which is safe. The downside is that some people send htlm mail, so I get "From" appearing as ?utf-8?B?QnJpZ2h0b24gJiBIb3ZlIENpdHkgQ291bmNpbA==?= with a subject of ?utf-8?B?QnVzIHBhc3MgcmVuZXdhbCBhcHBsaWNhdGlvbiA=?= (actual example, using copy and paste of From and Subject of an email from Brighton Council about my bus pass renewal). This obscurity is a price worth paying for me, knowing that plain text doesn't actually result in anything being executed.