But it is not a problem of Helpdesk system, it's a mail server's job, isn't it? If it allow to fake an email address so easily, then you should configure mail server the right way.
And also now if somebody fake agent's email address this email will be added to the system too, but as a note! Isn't it the same? That would be not good too. I do not see any big difference here (note or reply).
And one more thing 🙂 Our company, for example, allows only internal mail for helpdesk system. We do not support external users. I think there are pretty much companies who use helpdesk system in this way. So for these companies there are no risk in fake agent replies.