Right, but a targeted phishing attack against an internal user is just as likely to rely on an application (or a facsimile of an application) you don't control, like a benefits management portal or something that supposedly authenticates through an SSO.
I guess if your argument is that there would be high value in eradicating open redirects wholesale, I sort of see your point. But the incremental value of eliminating one open redirect is marginal at best.
There is also value in customer trust. If a customer gets burned by a Google.com link, they are going to check next time they see such a link. Google would be better of if customers felt 'oh, it is Google so it must be safe'.
That might not be an issue for Google, but I could see it being a big problem for a company that relies heavily on projecting a "family friendly" image (think Disney).
Back in the day you could change some URL parameters and make it look like Toys R Us was selling firearms on their website because they used the same ecommerce back end as a sporting goods store. Like you'd go to the URL and it would be a hunting rifle (or whatever) but it would be on the Toys R Us site.
I don't think Toys R Us was ever harmed but it was mildly amusing and I'm sure a few people's panties got knotted after they found out Toys R Us doesn't actually sell firearms and they got all enraged over nothing.
I hadn't heard of this issue specifically, but it sounds like you may be talking about eBay Enterprise[1]. They ran a lot of e-commerce operations for brick and mortar stores at one point, including both Toys R Us and Dick's Sporting Goods.
I guess if your argument is that there would be high value in eradicating open redirects wholesale, I sort of see your point. But the incremental value of eliminating one open redirect is marginal at best.