They quickly discovered that while the email appeared to have been sent by “accounts.recievable@clarkbuilders.com” the email address had been “spoofed.” The display name of the email was different than the actual originating account.
Isn't this glaring security issue trivially fixable from the perspective of an email client developer?
No, because SMTP "accounts" are trivially spoofable as well. (Edit: Although you wouldn't want to spoof that if you need to get replies, so maybe there is something the client can do here.) Maybe you could try to do some kind of trust-on-first-use on the chain of Received headers but that's going to generate false positives.
We do have several solutions in place for that, though. SPF, DKIM, among others. If this University were running on gmail I suspect this email would have been flagged for phishing (the builder did publish an SPF record), or outright rejected. However they run their own email servers[1].
[1] - They could of course do the same checks and even more, but among self-hosted installs it is common to disregard those additional securities.
Isn't this glaring security issue trivially fixable from the perspective of an email client developer?