Use of the preview pane is a personal choice. I base my choice on what malicious code remediation processes are in place. If antivirus scanning is on the inbound link and desktop, plus if there is an e-mail content checker, I'm typically pretty comfortable with the auto preview. Also, remember that it really doesn't matter if the auto preview is vulnerable. The malicious code will infect you anyway, because most times the code is Microsoft VBS or some other automated/wonderful Microsoft security hole.
For more information on this topic, visit these other SearchSecurity resources:
Virus Prevention Tip: Eliminate all VBS worms and viruses
Virus Prevention Tip: Recognizing funny e-mails