Yes, it is hard to implement it in a way that would not be easily abuseable (intentionally or not).
Unfortunately, due to its history SMTP has many built-in insecurities that allow for easy abusing the email-sending functionality if you're not careful enough. And it's usually not a good idea to allow your users to send email freely, especially using any server they want.
Firstly, the console is used very often not just by admins and security (Splunk can and often does ingest and analyze many types of data - for example, I'm using it to track my car using GPS data :D).
Secondly - there is a legitimate way to send the emails - the proper alert action. And it's more or less the only way you really should need (and I'm not saying it as a splunk user or admin but as a 20+ years experienced email servers administrator).
And if you really, really need the functionality of sending any email to any recipient through any server, you can always write your own alertaction script. But I would strongly advise against it.