Seems like I wasn't clear enough.. The point I was trying to get across in the posts above, is that that rule of security does not apply to mIRC's DDE server, because processes utilizing it already need to be running on the same system as mIRC, in which case they can also use the SendMessage way of sending commands, modify mIRC's configuration files, start their own copy of mIRC, and anything else you can possibly think of (all of these methods are being used by worms already).
In other words, mIRC is already a "gateway" anyway (with or without DDE server), and malicious code that is able to use mIRC as a "gateway", can use other methods to do whatever it wants to do (e.g. spread on IRC), without using mIRC, and without any loss of its malicious "functionality."
So, if the DDE server were to be disabled by default, it would not be because of that reason.