MS Outlook appears to be vulnerable to a lot of viruses simply because a lot of viruses are written that exploit flaws in the software. It’s popularity as an email program/organizer application likely has a great deal to do with this.
That said, Outlook (and to a large extent most major MS applications) suffers from a design weakness. The whole philosophy of Microsoft products in general is that they should be easy to use and require as little technical knowledge as possible on the part of the user. While this is noble goal, in the end, a lot of the inner workings are hidden from the user, which turns out to be a very bad thing.
In the case of MS Outlook, the software, upon noticing an incoming attachment, will try to determine what program to use in order to open the attachment automatically. The idea here is to spare the user the trouble of having to understand issues like various types of file formats, how to manipulate the attachment in question so as to best utilize it’s contents, etc… The software makes a “best guess” about what to do with the incoming email attachment based on information it has regarding the various file formats of which it’s aware and the corresponding applications that should work with those file formats. Outlook, in some cases, then tries to open the file so that the user is not required to figure out the technical details himself. Great, in theory, except the program never bothers to ask, “Should the attachment be opened/utilized/executed at this time?”; it assumes that if the user received the attachment in an email, he’d of course want to open that email attachment. So Outlook automatically opens certain attachments/bits of executable code, and the virus propogation begins.
While not specifically an MS Outlook design flaw, another silly thing that Microsoft Windows in general likes to do is hide the file extension by default (the part of the filename following the period). The file extension is the way Windows determines how the file should be handled (whether it should be executed, opened through another applications, etc…). The idea in this case is to hide the file extension so that the user won’t accidentally modify the extension and cause the file to open improperly. If the user really needs to determine what type of file it is, the thinking goes that he can look at the icon next to the filename (the modified listing that’s missing the extension) and from that, determine what type of file it is. Again, great idea in principle, poor idea in practice. What virus writers will do to exploit this is email the attachment as something like README.TXT.EXE, an executable file containing the virus code. However, on your screen, it will show up as README.TXT, a simple text file. Thinking that plain text files are safe to open (they usually are), you go ahead and open it, and suddenly, you’re infected with a virus.
Can these design flaws be fixed? Sure they can; require a bit more effort and knowledge on the part of the user in order to operate the system at hand. Stop designing the software to assume it can figure out things on it’s own and have it wait for the user to make a few decisions regarding what to do next. And for goodness sake, stop trying to shield the user from the way the system actually works. But these modifications, in Microsoft’s eyes, would likely constitute a decrease in the “ease of usage” that Microsoft likes to build into their products and brag about, so don’t expect these types of changes to appear any time soon.
Why is it used so much? It comes packaged with Microsoft Office and it acts as a decent client when accessing Microsoft Exchange email servers.