But that's how security works. Reducing the surface area is great, nothing wrong with that. However, the system is only as strong as the weakest link. E-mail is hilariously insecure, so just avoiding a single layer, API, or applications and calling it done is not enough.