Some years ago, there wasn't a single (proper) organization without an Email Security Gateway. That briefly changed with the advent of good, cloud based, servers - such as Google and Microsofts. Briefly.
With around 320 000 000 000 emails sent every day across 5000 Million mailboxes, companies still rely on Email as their number one form of reliable communication. You can "talk" using virtual calls (such as Zoom) and IM tools (such as Slack), but you cannot send a proper message - Complete, traceable, and meant for all types of recipients.
Companies lived fine with email - They would host their own email server (exchange, usually), add an Email Security Gateway before, maybe a firewall and an endpoint Antivirus to every employees' computer and things seemed to work fine.
But something changed: With the great shifting to the cloud, and in particular platforms-as-a-service such as O365 or G-Workspace, companies decided to abandon they're datacenter-based email systems. Apparently Spam stopped being a problem.
Has Spam softened?
A large majority of email is either dangerous (social engineering fraud such as phishing and /or malware ( in links or files), or is just annoying and unwanted (spam). The number of bad emails used to be as high as 80% just some years ago. But now, it is around 50%. The reason is that "regular spam" is easier to catch, and, on the other end, attackers are now more professional, and focused on direct, personalized attacks (i.e. spearphishing). The profit for them keeps growing - but it is now diversified (ransomware, data theft), and not just pushing for fraudulent purchases or charming to get personal information.
So why is traditional spam easier to catch? The systems got better and, most of all, the threat intelligence and network reputation technology have improved significantly. Network reputation basically holds extensive data on incoming emails, servers, and IPs, which in turn, caused many hosting environments to be more careful in what they allow to transmit and receive - which led to less "relaxed" hosting companies and less options for third party hosting of Command and Control and "Marketing" Email Services (although Dark web continues to offer a good deal of such services)
The realization of dedicated Security systems:
Office 365 and others bring their own security included. But lack the management of this security, lack, the visibility on caught messages and, more importantly, the lack the redundancy of having a separated, dedicated system where security operators can do their work before messages arrive to inboxes. It makes sense. There aren't many simpler products to use than a Gmail or a Word. They're meant for every type of user and organization and, therefore, cannot be complicated nor focused on cybersecurity.
A reasonably good Anti Spam engine blocks the easier, low-tech forms of spam. For advanced protection you'll need a proper set of features regarding malware detection, fraud content analysis, authentication verification (DMARC, SPF, DKIM, MTA-STS, and a few more acronyms), and all coupled with a system operational enough for users to decide what to trust, and under which conditions, as well as fine tune configurations, managing quarantine, and taking advanced decisions on suspicious emails (for instance, deliver without attachments).
These systems use plenty of threat Intelligence sources, as well as Antivirus to block most of the more common malware (and ransomware, and other types) - Traditional AVs catch between 30-60% of malware. If you combine several AVs, the catch rate can go higher, but never sufficient. New malware (zero day) needs to be caught by sandboxes and high-update-rate AVs. For fraudulent emails you'll need machine learning systems, combining all meta data, and crossing it with known patterns.
Without any type of filtering, any system would be unmanageable. With good email detections - the detection achieved by the platforms (Google workspace, Office 365), open source and free antispam filters, including filters contained in Firewalls, and the protection from AntiVirus running on clients (on Windows, Android, ...), any company should be moderately safe - but, as most companies having been successfully breached through out the years - mostly SMBs - the new shift in organizations mindset is that good email security is not enough - a few more bad emails passing through to their employees is all that is needed to cause a disaster - and all that is needed to invest in top security solutions.