I think it probably dates to pre-Web pre-Internet time, all the way back to a concept Microsoft once had of "near real time" updates, where (as an example) sales people in the field would Email information and forms to a central location, the central location could massage the data, update databases, etc., and their sales people would get stuff back in return Email messages. (This was demonstrated in one of the few Developer Days I ever went to. Nowdays, for that scenario, you'd be updating things more directly via a Web page.)
That's probably where the idea came from, but it's obviously far from a description of where it went from there. I would guess that because they had done something like this before, they built the same type of thing with COM objects - and all the while, thinking about the benefits of being able to execute code out of mail, and not even thinking about the security problems inherent in getting untrusted mail.
By the time they realized the severity of the problems, it was really too late for them to do a lot about it. The code for executing stuff from Email (and, by then, other office components) was probably so tightly "integrated" with every component that it was probably logistically impossible to tear it out.
At least how I remember it from the 90's. If someone has a different explanation of how the entire mess evolved, I'd be interested in seeing it.